Forum Discussion

JMA_46115's avatar
JMA_46115
Icon for Nimbostratus rankNimbostratus
Aug 27, 2012

HTTPS/HTTP rewrite URL (Wildcard SSL cert)

Hi guys,   I am pretty new to the forum and iRules...   Here's the issue I am having right now.   We are using a Wildcard SSL cert for one of our HTTPS URL (Lets call it https://*.abc.mydoma...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 29, 2012
The problem with using a single IP address for multiple fully qualified domain names is that LTM needs to complete an SSL handshake with a single SSL cert before being able to decrypt the SSL and inspect or modify the HTTP to determine which FQDN the client requested. If LTM presents a cert which doesn't have the client's requested FQDN, the client will generate a mismatched cert error.

 

 

If the clients are in a controlled set (ie, all owned by one organization) you could potentially use TLS SNI to determine which cert to present:

 

http://en.wikipedia.org/wiki/Server_Name_Indication

 

 

The reason TLS SNI hasn't taken hold fully yet is that many older browsers and operating systems don't support it yet:

 

http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support

 

 

If you can get a single certificate which is valid for all of the FQDNs clients would use to access the virtual server, you can avoid this issue. Typically, this is done with wildcard or Subject Alternate Nate (SAN) certs.

 

 

If a SAN or wildcard cert can't be used and the clients are not corporate owned, you'll generally need one virtual server IP address per SSL certificate.

 

 

Aaron