Forum Discussion
svs
Cirrostratus
CirrostratusIncosistent forwarding of HTTP/2 connections with layered virtual
Hi, I'm using a layered virtual configuration: Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/s...
zamroni777
Nacreous
Nacreousit's called coalescing in http/2.
do your ssl certificates contain SAN?
svsWoah...that's completely new for me and seems to break my layered virtual concept, based on SNI forwarding. In my case a wildcard certificate is in place. Not sure if this will result in the same behavior, but from the description and my observations, I would assume that the behavior is identical - generally every CN is also in the SAN list these days.
Unfortunately, I wasn't able to find specific information, related to the BIG-IP. From my understanding I won't be able to disable this behavior in the BIG-IP, i.e. via HTTP/2 profile or LTM policy or even via iRule, right?
The only solution I cloud think of is to get rid of the wildcard certificate and make sure, that each "app", for which a dedicated tier2 virtual exists, uses only domain-specific certificates, without any additional SANs, that should be handled by other tier2 virtuals. Did I get this right?
- zamroni777
the coalescing in controlled by client.
in your case, the wildcard certificate basically causes client to coalesce the connections.
the solution is simply do ssl offload/termination in tier1 vserver (assign client(side) ssl profile with the wildcard cert in it)