For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Oct 21, 2015

My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.

 

  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2015
    This appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 21, 2015
    If it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2015
    Ok, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 21, 2015
    sounds like you will have to use an iRule for the server SSL profile selection like I mentioned above.
  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2015
    Yep, I hadn't seen your post when I made mine. I'm going to look into the iRule tomorrow. I've not done anything with them before so much like the rest of this deployment, this will be a learning experience.
  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015
    When I attempt to add the above iRule I'm given the following error: error: /Common/ssl_sni_forward:5: error: [command is not valid in current event context (SERVER_CONNECTED)][HTTP::host] Any ideas?
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 22, 2015
    Well that's dumb that its not available in server connected. This should work and do the same thing. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::header "HOST"] ":" 1]]_serverSSL" } }
  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015
    When I apply the iRule it requires that I use the fasthttp profile, which doesn't appear to allow HTTPS connections.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 22, 2015
    it should not require a fasthttp, it will require an HTTP profile which is allowed with a clientssl profile.
  • Michael_Waldron's avatar
    Michael_Waldron
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015
    01070394:3: HTTP::header in rule (/Common/ssl_sni_forward) requires an associated FASTHTTP profile on the virtual server (/Common/Test-IIS-HTTPS).