Forum Discussion

Fornacis_104805's avatar
Fornacis_104805
Icon for Nimbostratus rankNimbostratus
Nov 11, 2013

Help disabling SSL encryption on VS using SSL offload per host name

Hello everyone...I'm no F5 expert but you know how it is...I get volunteered for iRule work. :(   I have a VS that is using a wildcard cert, and the the thought is to point about 5 sites to the on...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 11, 2013

This is generally not possible in the HTTP context. By the time you get to layer 7 HTTP evaluation, the layer 5/6 SSL has already happened. You would necessarily need to enable/disable SSL processing at layer 3/4 (IP subnets) or potentially at layer 5/6 SSL. The SSL layer switching would be a bit more complicated, and would rely on the client's ability to send the server name in the CLIENTHELLO message - a function of the TLS protocol. Older clients (ie. WinXP and earlier) would not be able to do this.

 

Optionally, you could simply re-encrypt to the server side, based on the Host header. Your above iRule would then work if you changed "clientside" to "serverside".