Last active
November 20, 2017 19:19
-
-
Save magnuswatn/46d8dbaead76451a8c2fa22c0052c83d to your computer and use it in GitHub Desktop.
iRule to add support for the Certificate Transparency TLS extension to F5 Big-IP devices
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This iRule can be used to add support for the Certificate Transparency TLS extension to F5 Big-IP devices | |
| # The SCT list must be generated manually, and the sct variable below updated | |
| # | |
| # To generate a SCT list, the Submit-CertToCT cmdlet from https://github.com/magnuswatn/Cert-Tools can be used | |
| # | |
| # Magnus Watn <[email protected]> | |
| when RULE_INIT { | |
| set sct [b64decode APAAdwBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAV5Dgt9KAAAEAwBIMEYCIQCYgk4UXnDg3B1DLvsmaJtjFLjpdpE2xfRVBiUeE5MQVgIhALkAY37w2+ydiSf2VNNaYprD/Uqw8mIyQJWz7HahYExvAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFTb7OoKgAABAMARjBEAiB+LIypJ4JILb0EBg0NLK1Xjpu3/N4FuyAp7UPwkRKWMQIgbbLIrfh4WPdtDq5/DZXIxUMqXheCo8WdHaMKwTsW2/g=] | |
| # Be aware that since this is a static variable, several of these rules can't coexists on the same box withouth changing the name | |
| set static::sct [binary format S1S1a* 18 [string length $sct] $sct] | |
| } | |
| when CLIENTSSL_CLIENTHELLO { | |
| if { [SSL::extensions exists -type 18] } { | |
| # The SCT extension was present in the CLIENT_HELLO, so let's inject our SCT list in the SERVER_HELLO | |
| SSL::extensions insert $static::sct | |
| } | |
| } | |
| when HTTP_RESPONSE { | |
| # Be careful with this... Start with a really low age | |
| HTTP::header insert Expect-CT "enforce, max-age=30" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment