Hi There, Can we have multiple client SSL profile on single VIP? I am looking for some help on this. We need to have some rules like below. www.mywebsite.rain.com --> SSL Profile SSL_rain www.mywebsite.snow.com --> SSL Profile SSL_snow www.mywebsite.sunny.com --> SSL Profile SSL_sunny This requirement is based on application side as we use same VIP for all three websites and the server is determining which website to present to the user based in urls. Can someone shed some lights on this please??

Yes. You need to enable the Server Name Indication (SNI) feature. https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=50950622 SOL13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

Forum Discussion

F5_Freek_243545

Nimbostratus

Jan 18, 2016

Can we have multiple Client SSL profile on single VIP?

Hi There,

Can we have multiple client SSL profile on single VIP? I am looking for some help on this.

We need to have some rules like below.

www.mywebsite.rain.com  --> SSL Profile SSL_rain
www.mywebsite.snow.com  --> SSL Profile SSL_snow
www.mywebsite.sunny.com  --> SSL Profile SSL_sunny

This requirement is based on application side as we use same VIP for all three websites and the server is determining which website to present to the user based in urls.

Can someone shed some lights on this please??

Pascal_Tene_910
Jan 18, 2016
Yes. You need to enable the Server Name Indication (SNI) feature. https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=50950622 SOL13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

Pascal_Tene_910
Historic F5 Account
Jan 18, 2016
Yes. You need to enable the Server Name Indication (SNI) feature. https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=50950622 SOL13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
- F5_Freek_243545
  Nimbostratus
  Jan 18, 2016
  Hi Pascal, Using TLS SNI, we can have only one fall back SSL profile right? I have three different URLS. Can we configure three different profiles?
Pascal_Tene_910
Historic F5 Account
Jan 18, 2016
You can have several Client SSL profile assigned the virtual server. One of the profile must have "Default SSL Profile for SNI" enable, and the "server name" must be different for each profile.
F5_Freek_243545
Nimbostratus
Jan 18, 2016
There is a challenge that the client must support TLS SNI right? We have internet based clients and cant predict the nature of the clients.

Can we create an irule for the same ?
- Chris_Grant
  Employee
  Jan 18, 2016
  I would point out that SNI has been supported by IE since 2006 (v7), Firefox since 2006 (v2), and Chrome since 2010 (v6). For comparison, Chrome 6.0 does not support TLS 1.1 or TLS 1.2, nor does Firefox 2.0 or Internet Explorer 7. I can understand wanting to reach these customers, but these are at this point extremely out of date browsers.
- John_Alam_45640
  Historic F5 Account
  Jan 19, 2016
  i agree with cg4unix. In any case, the iRule itself cannot solve this issue because it does not see the hostname unless SNI is enabled and supported. Alternatives are wildcard or SAN certs. With wildcard certs you will have only one profile, the iRule can chose a pool based on the host name.
F5_Freek_243545
Nimbostratus
Jan 19, 2016
Thanks everyone. I configured TLS SNI and it worked like a champ.