ltm rule command SSL extensions
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::extensions
Returns or manipulates SSL extensions.
SYNOPSIS
SSL::extensions (count |
(exists -type EXT_TYPE_VALUE) |
(-index EXT_NUMBER) |
(-type EXT_TYPE_VALUE))?
SSL::extensions insert OPAQUE_EXT
DESCRIPTION
Returns or manipulates SSL extensions.
RETURN VALUE
SSL::extensions
Returns the extensions sent by the peer as a single opaque byte
array.
Valid in all SSL handshake events (those other than *SSL_DATA).
SSL::extensions count
Returns the number of extensions received.
SSL::extensions -index
Returns the opaque extension byte array corresponding to the
specified N-th (zero-indexed) extension.
SSL::extensions -type
Returns the opaque extension byte array corresponding to the
specified extension type value, or an empty string if not found.
Returns only the first instance if the same extension type is
present more than once.
SSL::extensions exists -type
Returns 0 if no extension corresponding to the specified extension
type value was provided, or non-zero if at least one such extension
exists.
SSL::extensions insert
Appends the opaque extension specified by a byte array to the set
of extensions to send to the peer.
Valid only in SERVERSSL_CLIENTHELLO_SEND and CLIENTSSL_CLIENTHELLO
events. No validation of the extension is performed beyond checking
that the encoded length matches the extension data.
Note: an byte array includes one or more encoded extension type, size,
and data.
VALID DURING
CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAKE CLIENTSSL_CLIENTHELLO
SERVERSSL_HANDSHAKE SERVERSSL_SERVERHELLO SERVERSSL_CLIENTHELLO_SEND
EXAMPLES
when CLIENTSSL_HANDSHAKE {
log local0.info "CLIENTSSL_HANDSHAKE"
set ext_count [SSL::extensions count]
log local0.info "SSL::extensions count = $ext_count"
for {set i 0} {$i<$ext_count} {incr i} {
binary scan [SSL::extensions -index $i] S1S1H* ext_type ext_len ext
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension #[expr {$i + 1}]: (type $ext_type len $ext_len) $ext"
}
binary scan [SSL::extensions] H* exts
log local0.info "SSL extensions: $exts"
set ext_exists [SSL::extensions exists -type 35]
log local0.info "SSL extension type 35 exists: $ext_exists"
if {$ext_exists} {
set scan [binary scan [SSL::extensions -type 35] S1S1H* ext_type ext_len ext]
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension type 35: (scan $scan type $ext_type len $ext_len) $ext"
}
set ext_exists [SSL::extensions exists -type 0]
log local0.info "SSL extension type 0 exists: $ext_exists"
if {$ext_exists} {
set scan [binary scan [SSL::extensions -type 0] S1S1H* ext_type ext_len ext]
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension type 0: (scan $scan type $ext_type len $ext_len) $ext"
}
}
Sample log output:
: CLIENTSSL_HANDSHAKE
: SSL::extensions count = 1
: SSL extension #1: (type 65281 len 1) 00
: SSL extensions: ff01000100
: SSL extension type 35 exists: 0
: SSL extension type 0 exists: 0
when CLIENTSSL_CLIENTHELLO {
set my_ext "Hello world!"
set my_ext_type 62965
SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext]
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)