Follow

Issue: SSL Connection Refused by CloudFront Backend Related to SNI

Description

For customers with CDN services, such as CloudFront backends, who enforce the host header similar to SNI, the backend may fail to respond requests with HTTP Host header that are not configured on the CloudFront backend. 

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy/Proxies
  • SSL Profile 

Cause

CloudFront backends can enforce host header similar to how SNI is implemented, resulting in backend refusing to connect with HTTP Host header that is not configured on the backend. One of the indications is that you will be able to connect to HTTP but not HTTPs

 

Resolution

The following items should be implemented : 

  1. Host header rewrite iRule 
    • when HTTP_REQUEST priority 350 {
      if { [string tolower [HTTP::host]] ne "incoming.site.is" } {
      # Rewrite host
      HTTP::header replace Host "incoming.site.is"
      }
      }
      • The above iRule is only supported to allow traffic flow from Silverline to backend and cannot be implemented to satisfy application functionality as per iRules in Silverline: Scope of Support
  2. Create a new Backend SSL Profile and make the following change under Advanced SSL Settings.  
Always select "Compatible" cipher suite "NATIVE:!SSLv3:!EXPORT:!MD5:!ADH:@STRENGTH" unless it is confirmed that stricter cipher suite is compatible with backend cipher suites. 
  •  Screen_Shot_2020-04-21_at_5.57.15_PM.png
  • iRule and Backend SSL Server Name configuration can only be implemented by SOC. Please contact SOC Contact SOC / Contact Silverline Support .
  • Attach both the iRule and the Backend SSL Profile to the proxy. 
  • Confirm that the connection is successful. 
  1. If the issue still occurs and likely related to SNI setting
    • You can adapt the iRule to
      • when HTTP_REQUEST priority 350 {
            if { [string tolower [HTTP::host]] ne "incoming.site.is" } {
            # Rewrite host
                  HTTP::header replace Host "incoming.site.is"
                  set sni_value [getfield [HTTP::host] ":" 1]
            }
        }

        when SERVERSSL_CLIENTHELLO_SEND priority 350 {
             SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
        }
         
      • https://support.f5.com/csp/article/K41600007
      • In addition, revert any changes to the Server Name field in the Backend SSL profile
      • Also, remove/disable the SNI configuration on the proxy configuration 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request