How to inject Server Name Extension (SNI) on server-side based on HTTP Host by Aflex?
Miyuko
Member ✭
We are replacing the F5 load balancer. Could you please let me know how to implement this iRule using aflex or other methods?
he client request SSL packet header does not contain SNI, and it needs to be extracted from the Host field of the HTTP packet header.
F5 irules:
when HTTP_REQUEST {set sni_value [getfield [HTTP::host] ":" 1]}when SERVERSSL_CLIENTHELLO_SEND {SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]}
How to inject Server Name Extension (SNI) on server-side based on HTTP Host by Aflex?
Tagged:
0
Answers
I try to use-client-sni ,but it doesn't work on https port.
maybe SSL::payload can help? Anybody help me,please.😫🤣
The intended function of "use-client-sni" is to copy the SNI from the client side client hello to the server side client hello. Unfortunately, if the SNI is already missing from the client, we cannot copy it to the server.
I have not found a native configuration to support this use-case. In Aflex, I do not see a function for SSL::extensions insert…
Do existing APIs provide methods to handle this situation?
and if multiple Certificates can support this use-case?
APIs will not offer additional configuration options beyond the CLI and GUI. We still have the same challenge.
Can you explain the multiple certificate use-case? How do multiple certificates interact with the client SNI?
if i can use aflex to change the value of “server name” of the serverssltemplate