Community discussions

MikroTik App
  4. RouterOS
  5. General

Feature request: TLS SNI match - classify traffic based on TLS hostnames

Post Reply
 
JanRovner
just joined
Topic Author
Posts: 9
Joined: Fri May 20, 2011 5:33 pm

Feature request: TLS SNI match - classify traffic based on TLS hostnames

Mon Oct 30, 2017 12:26 pm

Hello,
there exists an iptables extension called xt_tls - https://github.com/Lochnair/xt_tls that can look into TLS SNI field
and classify traffic based on TLS hostnames present in TLS handshake phase.

It would be much more efficient and resource friendly than general L7 protocol regex matching.

Usage: QoS, filtering and others.

Example usage (example written using iptables syntax)
Code: Select all
iptables -t mangle -p tcp --dport 443 -m tls --tls-host "*.facebook.com" -j mark --set-mark 123
iptables -t mangle -p tcp --dport 443 -m tls --tls-host "*.googlevideo.com" -j mark --set-mark 456
Could you please include / build it into following versions of routeros?
Top
 
R1CH
Forum Guru
Forum Guru
Posts: 1101
Joined: Sun Oct 01, 2006 11:44 pm

Re: Feature request: TLS SNI match - classify traffic based on TLS hostnames

Mon Dec 18, 2017 11:32 pm

This would be great for traffic classification and also solve a lot of the "How do I block this HTTPS site" posts we see quite often.
Top
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:
Contact Chupaka

Re: Feature request: TLS SNI match - classify traffic based on TLS hostnames

Tue Dec 19, 2017 8:10 am

What's new in 6.41rc:

*) firewall - added "tls-host" firewall matcher;
Top
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 142 guests
  4. RouterOS
  5. General