Forum Discussion

Jon_Wallwork_46's avatar
Jon_Wallwork_46
Icon for Nimbostratus rankNimbostratus
May 13, 2008

Methods for selecting SSL Profile

Hi All

 

 

We have a customer who would like to do the following: I think its not possible but thought one of you guys will know more than me.

 

 

They have only one IP address and they would like to choose the SSL Certificate to use based upon which site is being requested.

 

I think that because the SSL Negotiation has to occur BEFORE the F5 can look at the HTTP host or URI there is no way of doing it.

 

 

Can anyone tell me i'm wrong and there a simple way of dealing with this?

 

 

Regards Jon
application delivery
dev
devops
iRules
v4
  • Lightspeed_VT_5's avatar
    Lightspeed_VT_5
    Icon for Nimbostratus rankNimbostratus
    May 15, 2008
    This might be a dumb question, but why wouldn't something like this work?:

     

     

    when CLIENT_ACCEPTED {

     

    if { [string tolower [HTTP::host]] equals "websitea.com"} {

     

    SSL::profile a_profile

     

    } elseif { [string tolower [HTTP::host]] equals "websiteb.com"} {

     

    SSL::profile b_profile

     

    } else {

     

    SSL::disable

     

    }

     

    }

     

     

    when HTTP_REQUEST {

     

    SSL::renegotiate

     

    }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 15, 2008
    You can't read the host in the HTTP headers until the SSL has been decrypted. You can't decrypt the SSL until you present a cert to the client and the SSL handshake is complete. In 9.x, you could select a client SSL profile but you need to know which one to present before you decrypt the SSL. In 4.x, there isn't anything that comes close to this.

     

     

    Aaron