Forum Discussion
krisdames
Cirrus
CirrusIRULE question - pool command and SSL renegotiation
I have a standard SSL virtual with a client and a serverssl profile. I need to create an iRule that does some content switching based on HTTP::uri. My virtual has a clientssl profile with an SSL cert...
Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.
The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.
Hope that helps!
Regards Stefan 🙂
Kevin_Stewart
Employee
EmployeeI'd recommend having the iRule select a new server SSL profile based on these client side properties. You're sending traffic to a new server, so BIG-IP has to initiate a new TCP connection and SSL session to that node.
- Stefan_Klotz
Cumulonimbus
Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.
The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.
Hope that helps!
Regards Stefan 🙂