For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

raphael_norber1's avatar
raphael_norber1
Icon for Nimbostratus rankNimbostratus
Sep 11, 2006

Cert Problem

I'm not sure if there is a slution to my issue, but Support suggested there might be an Irule solution. basically i am attempting this:

 

 

when HTTP_REQUEST {

 

if { [HTTP::host] equals "https://www.domain1.com" }{

 

set ::redirect_uri ""

 

HTTP::redirect https://domain2.com

 

}

 

}

 

 

domain1 and domain2 have the same VIP. They need to have the same ip addy, due to a number of clients who have the ip address hard coded into their proxy servers, and we dont want them to have to change the ip address. the redirect works fine, but the clients are getting a cert warning, due to the hostname mismatch. so my question is....is there a way to do the redirect somehow before the ssl handshake? i do have a cert for domain2, so if i could somehow stop the ssl handshake before the redirect, that would work, or, if i could somehow associate multiple certs with a single vip, that would work also. any ideas would be greatly appreciated.

 

 

application delivery
dev
devops
iRules

1 Reply

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Sep 11, 2006
    This type of a chicken and egg SSL cert question has been asked a few times before. If you search the forums you'll probably find a couple of different discussions related to similar topics.

     

     

    The short answer is, no, there isn't a way to read the information in the HTTP headers before the SSL handshake has occured, so you won't be able to see what the hostname is without first decrypting the data. At this point, you've already exchanged the cert, and the user has seen an alert if they are prompted to accept a cert for a different domain.

     

     

    Colin