[T&C] Example of using SNI with aFleX
siddharthaa
Member ✭
In an SSL/TLS handshake, the name of the server being accessed is sent using the SNI extension in the Client Hello message.
For example, suppose you access the site https://intranet.a10tests.com, it will show up in the SNI extension as follows:
Starting from ACOS 5.1.0, this SNI field can be captured using the aFleX command: SSL::hostname
To do so, login into the Thunder device GUI and navigate to:
ADC > aFleX
Then click on “Create” to create a new aFleX script:
The script is as follows:
when CLIENTSSL_HANDSHAKE {
log "SSL SNI is [SSL::hostname]"
}
Click on “Create” to create the script.
Now you can apply this script to a virtual port, say port 443 of a VIP.
To do so using GUI, navigate to:
ADC > SLB > Virtual Servers > VIP1 > Virtual Port > Update
Then specify the name of the aFleX script (e.g. log_sni) under the Advanced Fields section:
Click on “Update” to make the new changes take effect.
On CLI, the configuration will look as follows:
slb virtual-server VIP1 100.64.1.250 port 443 https aflex log_sni service-group Server_HTTP template client-ssl a10tests.com
Now, when a client tries to access the site https://intranet.a10tests.com it will be logged as:
CFW(config)#sh log Log Buffer: 30000 Nov 03 2020 23:31:00 Info [AFLEX]:log_sni:SSL SNI is intranet.a10tests.com
This can be useful if you have multiple HTTPS sites corresponding to the same VIP and want to be able to log each of them individually.
In addition to the SNI field, you can also collect additional information such as SSL/TLS cipher name, cipher bits, and cipher version. Here is the aFleX script to do so:
when CLIENTSSL_HANDSHAKE {
log "SSL cipher_name is [SSL::cipher name]"
log "SSL cipher_bit is [SSL::cipher bits]"
log "SSL cipher_version is [SSL::cipher version]"
log "SSL SNI is [SSL::hostname]"
}