iRule / SSL Question

Question

So I am running an iRule to cut down on the amount of IP addresses I have exposed to the internet. It works great, but I currently break those nodes up into different iRules based on their certificate.&nbsp;
My question is, if I apply more than 1 SSL profile to a virtual server, will it pick the one that fits best or will it just get confused and angry?&nbsp;
Thanks =)&nbsp;

kevin_stewart · Answer

The ability to apply multiple SSL profiles to a virtual server is dependent upon a TLS functionality called Server Name Indicator. TLS clients will present a "server name" extension in the CLIENTHELLO message of the TLS handshake, and the virtual server will dutifully select the most appropriate client SSL profile based on the Server Name value applied to each SSL profile (or a designated default profile if none matches the request). This requires all clients to support and prefer TLS, which may not always be the case at least for older browsers. The alternative to this approach is going to be a single client SSL profile with either a "wildcard" certificate, or "SAN" (Subject Alt Name) certificate. The former matches all addresses in a defined domain (ie. *.domain.com), and the latter matches a specific set of names (ie. www1.domain.com, www2.domain.com, www3.domain.com, etc.).

Forum Discussion

iRule / SSL Question

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

F5OS login with admin/root failed via console

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

UCS Encryption Question

Unblock Request WAF

Related Content

IRULE question - pool command and SSL renegotiation

irule logging question

Novice Question - irules

SSL Orchestrator Service Extensions: DoH Guardian

UCS Encryption Question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS