For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

chris_16019's avatar
chris_16019
Icon for Nimbostratus rankNimbostratus
May 29, 2008

Basic SSL Profile question

Please forgive the noobish question, I've only just returned fromt the basic LTM training.     I have two secure certificates and keys that need applying to an SSL profile, and then to a vi...
dev
devops
iControl
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 30, 2008
The issue isn't with BIG-IP--it's with HTTPS as a protocol. When a client makes an HTTPS request, the HTTP host header value is encrypted. In order to present the correct certificate you must know which Host (abc.pl or abc.com.pl) the client has made the request to. In order to see the host header value, you must decrypt the SSL. To do so, you have to present a certificate to the client. You're right that this comes up frequently--unfortunately, the solution isn't an iRule, it's using separate virtual servers or a single certificate which is valid for multiple FQDN's.

 

 

Recently, posters here suggested using an SSL certificate with Subject Alternate Names (SANs) to support multiple FQDN's in the same certificate (and same VIP). We ended up getting one for our network to support domain.com and www.domain.com. Perhaps you can do this as well? Most cert authorities and browsers support SANs now.

 

 

Try searching the forums here or on a search engine for ssl certificate and SANs for details. Here's one example where Deb listed a few links: (Click here).

 

 

Aaron