Forum Discussion

osnetworks_6668's avatar
osnetworks_6668
Icon for Nimbostratus rankNimbostratus
Jun 16, 2015

How can I configure Server SSL Profiles to connect to different URLs on the same server?

Hi,   We have a web server which has two sites published on it via a single Virtual Server on the BIG-IP: site1.domain.uk site2.domain.uk   Our security policy dictates that we must encrypt the...
application delivery
LTM
san
sni
ssl
  • ha_34906's avatar
    ha_34906
    Jun 24, 2015

    Hello,

     

    We had the same issue we had a single vip which teminated SSL at the LTM level but had to make two backend SSL connections to an HA-Proxy server so HA-Proxy would need to see the SSL call to a specific cert name. As you mentioned we created two separate Server SSL profiles each with differetn SNI and set one profile as default. No matter what we did the LTM only used the default profile SNI and ignored the secondary Server Profile's SNI when making the ltm to backend server SSL connection. Even in packet caputure we can see that it was only using default server's SNI only (we are running LTM 11.5.1. HF8). So that lead us to believe even though you can assign multiple server profiles with differetn SNI names, the LTM only uses the profile set as the default SNI and ignores the other profiles.

     

    Our fix to this was to create a second VIP, map to the same backend servers and assign each vip with its own SNI profile. This is not an ideal setup if you are calling multiple certs or if you can't used multiple vips. But it worked for us and we didn't bother opening a case with F5 as I think you can not use multi-SNI calls on server side SSL calls.

     

ha_34906's avatar
ha_34906
Icon for Altostratus rankAltostratus
Jun 24, 2015

Hello,

 

We had the same issue we had a single vip which teminated SSL at the LTM level but had to make two backend SSL connections to an HA-Proxy server so HA-Proxy would need to see the SSL call to a specific cert name. As you mentioned we created two separate Server SSL profiles each with differetn SNI and set one profile as default. No matter what we did the LTM only used the default profile SNI and ignored the secondary Server Profile's SNI when making the ltm to backend server SSL connection. Even in packet caputure we can see that it was only using default server's SNI only (we are running LTM 11.5.1. HF8). So that lead us to believe even though you can assign multiple server profiles with differetn SNI names, the LTM only uses the profile set as the default SNI and ignores the other profiles.

 

Our fix to this was to create a second VIP, map to the same backend servers and assign each vip with its own SNI profile. This is not an ideal setup if you are calling multiple certs or if you can't used multiple vips. But it worked for us and we didn't bother opening a case with F5 as I think you can not use multi-SNI calls on server side SSL calls.

 

  • osnetworks_6668's avatar
    osnetworks_6668
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2015
    Thanks, this seems to confirm my suspicion that SNI is not supported on the server side. I have a call open with F5 so I will report back on that if they manage to resolve it.
  • osnetworks_6668's avatar
    osnetworks_6668
    Icon for Nimbostratus rankNimbostratus
    Jul 02, 2015
    I got the following response from F5 support: When applying a serverside SNI profile, only the default profile is selected which replaces the host header of the incoming request. There is no hostname based serverside SNI selection (which is different from the clientside). The solution is to use an irule to select from the assigned serverside ssl profiles based on the contents of the hostname header. Something like this should work... when HTTP_REQUEST { set hostname [getfield [HTTP::host] ":" 1] } when SERVER_CONNECTED { switch -glob [string tolower [hostname]] { "site1.domain.uk" { SSL::profile site1.domain.uk-server } "site2.domain.uk" { SSL::profile site2.domain.uk-server } } }