Forum Discussion

ebathaei_188323's avatar
ebathaei_188323
Icon for Nimbostratus rankNimbostratus
Feb 17, 2016

AWS Cloud HSM with TLS SNI feature - multiple HTTPs on one IP

Hi Guys,   We are implementing F5 LTM VEs v11.6 and v12.0 in AWS, and we are going to use CloudHSM for our key management.   We also have a requirement to terminate multiple HTTPS sites on one ...
cloud
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 18, 2016

Hi Ebathaei,

 

when dealing with SNI to host multiple sites on a single IP address, then you have basically the following 3 different options at your fingertips...

 

  1. Terminate the TLS-Connetions (aka. SSL inspect) on your F5 and let the F5 automatically select the right SSL certificate.
  2. Layer4 forward the TLS-Connection (aka. don't SSL inspection) directly to your backend and let the backend handle the SNI based SSL certificate selection.
  3. Layer4 inspect the initial START_TLS message on your F5 and then dynamically forward the connection to different internal non-SNI aware IP:Port combinations.

So either use 2.) if your HSM supports SNI, or use 3.) if your HSM don't support SNI.

 

Cheers, Kai