Forum Discussion
NimbostratusiRule / SSL Question
So I am running an iRule to cut down on the amount of IP addresses I have exposed to the internet. It works great, but I currently break those nodes up into different iRules based on their certificate.
My question is, if I apply more than 1 SSL profile to a virtual server, will it pick the one that fits best or will it just get confused and angry?
Thanks =)
1 Reply
- Kevin_Stewart
Employee
The ability to apply multiple SSL profiles to a virtual server is dependent upon a TLS functionality called Server Name Indicator. TLS clients will present a "server name" extension in the CLIENTHELLO message of the TLS handshake, and the virtual server will dutifully select the most appropriate client SSL profile based on the Server Name value applied to each SSL profile (or a designated default profile if none matches the request). This requires all clients to support and prefer TLS, which may not always be the case at least for older browsers. The alternative to this approach is going to be a single client SSL profile with either a "wildcard" certificate, or "SAN" (Subject Alt Name) certificate. The former matches all addresses in a defined domain (ie. *.domain.com), and the latter matches a specific set of names (ie. www1.domain.com, www2.domain.com, www3.domain.com, etc.).
