TLS/SSL filter based on server name indication (SNI)? #614
Replies: 1 comment 3 replies
-
|
I believe this scenario does not require decrypting TLS. A Level 4 firewall can handle it, with the addition of SNI reading functionality to determine whether to allow passage. |
Beta Was this translation helpful? Give feedback.
-
|
right, no TLS decrypting required, just thought if ecapture can handle non-decrypting and decrypting, and take active action like allow or drop if certain part of non-decrypting part of SSL header like server name matches. for now ecapture just passively decrypt TLS/SSL. |
Beta Was this translation helpful? Give feedback.
-
|
Parsing SNI at the TC and XDP layers is quite cumbersome, and I do not advocate implementing it in eBPF. You might consider using a HOOK to intercept functions related to parsing SNI in openssl, make judgments after reading the SNI, and for blocking purposes, you could consider interacting with the TC layer by exchanging data via ebpf and sending RST packets. Additionally, eCapture is designed for decrypting and capturing network packets; there are currently no plans to add blocking functionality. |
Beta Was this translation helpful? Give feedback.
-
|
right cumbersome, like this example https://stackoverflow.com/questions/70760516/bpf-verifier-fails-because-of-invalid-access-to-packet, maybe just a quick hack solution :). This request was raised from ipfire community. I thought it is good use case for eBPF, I recorded some other ideas in vincentmli/BPFire#34. |
Beta Was this translation helpful? Give feedback.
-
Cilium has similar feature request here cilium/cilium#28513, there is sample code here https://github.com/quarkslab/peetch/blob/master/peetch/ebpf_programs/peetch_uprobes.c to extract ciphersuite from SSL session, with some modification, I assume it should be able to extract SNI extension?
Beta Was this translation helpful? Give feedback.
All reactions