Bug ID 559004: No support for server-side TLS SNI

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0

Opened: Nov 18, 2015

Severity: 3-Major

Symptoms

The BIG-IP system is unable to perform server-side SNI without using an iRule.

Impact

You must write an iRule that dynamically selects a server SSL profile based on the client host header.

Conditions

-- Server-side pool members are configured to use TLS SNI. -- More than one valid server name exists.

Workaround

None.

Fix Information

A new parameter has been added to the virtual server called 'serverssl-use-sni'. If multiple server SSL profiles are configured, and serverssl-use-sni is enabled, then the server SSL profile whose server-name matches the SNI extension in ClientHello will be selected. In the example below, server SSL profile s.1 will be used by default, unless the client connects using the SNI 'valid-client', in which case profile s.2 will be used. ltm profile server-ssl s.1 { app-service none cipher-group none ciphers ECDHE-RSA-AES128-SHA256 server-name none sni-default true } ltm profile server-ssl s.2 { app-service none cipher-group none ciphers DHE-RSA-AES256-GCM-SHA384 server-name valid-client session-ticket enabled } ltm virtual tls { destination 10.98.22.213:https ip-protocol tcp mask 255.255.255.255 pool ssl profiles { c.1 { context clientside } s.1 { context serverside } s.2 { context serverside } tcp { } } serverssl-use-sni enabled source 0.0.0.0/0 source-address-translation { type automap } }

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips