Forum Discussion
El_Jefe
Nimbostratus
NimbostratusAppend FQDN to https request
Hello,
I am sure this has been asked many times, but I could not find it in search. We use our F5s here internally, and the users can get to the websites using an internal hostname - like https://server1 When it appears like this in the browser, the SSL cert is actually for server1.companyxyz.com, and so, the browser complains about the SSL cert. Is there any way to automatically append the companyxyz.com to the request?
Thanks,
Jeff
hooleylistCirrostratus
Hi Jeff,
If the first request is for https://server1 then the error occurs before LTM decrypts the SSL and could modify the HTTP headers. If the clients make an HTTP request first to http://server1, then you could redirect their HTTP request to HTTPS with the fully qualified domain name:when HTTP_REQUEST { HTTP::redirect https://server1.companyxyz.com[HTTP::uri] }
Aaron- As Aaron mentioned, there's a bit of a chicken vs. egg issue that many users end up facing when dealing with manipulating SSL traffic. The traffic must be decrypted on the LTM before any manipulation can be performed. The problem is, as in this case, if the user is requesting a name not represented on the certificate, they're going to get the initial mismatch error on the first handshake with the LTM, even if you're decrypting SSL on the LTM. At that point, now that the traffic is decrypted, you can certainly manipulate the traffic at will, but it's too late to stop them from seeing the initial SSL mismatch error.
Colin 
Michael_YatesThe short answer is No.
The client browser would be expecting a response matching the request "server1". The BIG-IP would respond with the SSL Certificate that is tied to that Virtual Server "server1.companyxyz.com".
The BIG-IP cannot analyze, modify, or change the SSL Profile being used on the Virtual Server with an iRule until after the traffic decryption (which is after the handshake that causes the SSL Certificate Mismatch Error).- ^ What he said. ;)
Colin - Michael_YatesLOL.....Nah....what you and Hoolio said.
We all jumped on this one.
I was typing my reply while you guys were posting yours.
Oops! :-) - I'll take more coverage over less any day. I love this dang community. :)
Colin 
Ryan_Paras_7933If you are involved with the issuing of the certificates, check out the use of Subject Alternative Names for your SSL certificate. Here is a quick explanation -> http://www.digicert.com/subject-alternative-name.htm- Nice Ryan, thanks.
Colin - Michael_YatesYea....that is a good point Ryan.
Some multi-SAN's cost the same as a Standard (the ones I use are 2 SAN Certificates called "Advantage Certificates". I have also heard them referred to as "Multi-Domain" Certificates).
The larger ones are Unified Communication Certificates (UCC) and normally used in newer (2007 and newer) Exchange Environments, and can have 10 or more SAN's.
