For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sanal_Babu's avatar
Sanal_Babu
Icon for Altostratus rankAltostratus
Jan 01, 2018

2 URL's on same vip with wildcard certificate

Here is the existing setup. VIP and pool members listening on 443. Wild card certificate on the client ssl. In server profile "abc.com as server name.   Requirement:   One more URL to be added...
application delivery
LTM
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jan 01, 2018

If all works with 

abc.com
right now, and you already terminate clientssl with 
*.abc.com
certificate, no changes on BigIP LTM are required to add support for 
xyx.abc.com
. They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!

Serverssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jan 01, 2018

No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on 

abc.com:443
, either add 
xyx.abc.com:443
as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.