Forum Discussion

123notit_142916's avatar
123notit_142916
Icon for Nimbostratus rankNimbostratus
Mar 19, 2014

multiple SSL cert on 1 VIP question

I have a 'special' client that sent us 2 SSL certs to secure their website (www/non www of clientsite.com url).

 

I found this article - https://devcentral.f5.com/articles/multiple-certs-one-vip-tls-server-name-indication-via-irules.UymvAfldWz8

 

but the parent article appears to be gone, is this still valid and does it work?

 

  1. I need traffic from either www/non www to go to clientsite.com url (over SSL).
  2. I only have the DNS entry for clientsite.com url (not www.clientsite.com) which may make this moot anyway.

So basically I'm looking for some magic here, getting DNS/SSL SAN certs from this client is like pulling teeth, so if I can get both SSL's traffic to point to the url via 1 vip (or even 2 vips), that would be preferable.

 

FWIW - running 10.2.4 LTM

 

application delivery
design
devops
iRules
LTM
security
ssl

3 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Mar 19, 2014

    Hi!

     

    Sorry to say this, but you can't do this with two certificates. You need a multi certificate or a wildcard certificate to accomplish it.

     

    Reason being that the information needed to determine which certificate to use is located at layer 7 while the ssl encryption is done before this.

     

    Thus you can only use one certificate per IP+port.

     

    /Patrik

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Mar 19, 2014

    With SNI the client provides the domain name prior to SSL handshake completion which allows the SSL application to choose a profile prior to completing the handshake. Perhaps this article can offer some additional background:

     

    SOL13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature

     

    Hope this is helpful, Kevin

     

  • El-Guapo_29797's avatar
    El-Guapo_29797
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2014

    You have two Certs and one VIP. The way to fix this is either ask the CERT Provider like verisign, Thawte or whomever issued the CERT to combine two CERTS into one. If you view a CERT, click on Detail & find subject alternative names.. The CERT will then have both URL's (one with www and one without)... Or, you can do what I would do and add an iRule to virtual server to remove www & all will work. Here is the iRule.

    when HTTP_REQUEST {
 Check if the host starts with www.
if {[string tolower [HTTP::host]] starts_with "www."}{
 Redirect with the www. prefix removed to the same URI
HTTP::redirect "http://[string range [HTTP::host] 4 end][HTTP::uri]"
   }
}