Forum Discussion
F5_Freek_243545
Nimbostratus
NimbostratusCan we have multiple Client SSL profile on single VIP?
Hi There,
Can we have multiple client SSL profile on single VIP? I am looking for some help on this.
We need to have some rules like below.
www.mywebsite.rain.com --> SSL Profile SSL_rain
www...
Yes. You need to enable the Server Name Indication (SNI) feature. https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=50950622 SOL13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
F5_Freek_243545Nimbostratus
NimbostratusThere is a challenge that the client must support TLS SNI right? We have internet based clients and cant predict the nature of the clients.
Can we create an irule for the same ?
Chris_GrantEmployee
I would point out that SNI has been supported by IE since 2006 (v7), Firefox since 2006 (v2), and Chrome since 2010 (v6). For comparison, Chrome 6.0 does not support TLS 1.1 or TLS 1.2, nor does Firefox 2.0 or Internet Explorer 7. I can understand wanting to reach these customers, but these are at this point extremely out of date browsers.- i agree with cg4unix. In any case, the iRule itself cannot solve this issue because it does not see the hostname unless SNI is enabled and supported. Alternatives are wildcard or SAN certs. With wildcard certs you will have only one profile, the iRule can chose a pool based on the host name.
