Forum Discussion

ebathaei_188323's avatar
ebathaei_188323
Icon for Nimbostratus rankNimbostratus
Feb 17, 2016

AWS Cloud HSM with TLS SNI feature - multiple HTTPs on one IP

Hi Guys,

 

We are implementing F5 LTM VEs v11.6 and v12.0 in AWS, and we are going to use CloudHSM for our key management.

 

We also have a requirement to terminate multiple HTTPS sites on one IP and for this we are considering to use the TLS SNI feature/SAN (Not Wildcard SSL!)

 

From F5 documentations, it seems not possible to achieve both CLoudHSM + TLS SNI (below)

 

The certificate and key pairs for each of the HTTPS sites must be hosted on the virtual server.

 

Above prerequisite states that TLS SNI is not possible, as the keys need to be on Virtual Server/F5 Box, but in our case it will be on AWS CLoudHSM.

 

Any ideas how to do this?

 

Cheers

 

cloud
iRules
LTM
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 18, 2016

    Hi Ebathaei,

     

    when dealing with SNI to host multiple sites on a single IP address, then you have basically the following 3 different options at your fingertips...

     

    1. Terminate the TLS-Connetions (aka. SSL inspect) on your F5 and let the F5 automatically select the right SSL certificate.
    2. Layer4 forward the TLS-Connection (aka. don't SSL inspection) directly to your backend and let the backend handle the SNI based SSL certificate selection.
    3. Layer4 inspect the initial START_TLS message on your F5 and then dynamically forward the connection to different internal non-SNI aware IP:Port combinations.

    So either use 2.) if your HSM supports SNI, or use 3.) if your HSM don't support SNI.

     

    Cheers, Kai