Multiple SSL Certs from one Virtual Server

Question

In our environment we have 7 or 8 websites all served behind the same virtual server in the F5. Further down the pipe the web server reads the hostname they are trying to reach and serves the appropriate page. That was worked well as everything is port 80 unencrypted. As we are now trying to move some of those sites to 443 we are presented with the problem that the F5 needs to know which website they are accessing and present the appropriate certificate to them. I have an iRule setup to read the hostname of the request and server that connection to the appropriate pool. However I'm not sure how to get the F5 to present a different SSL profile based on the hostname. I'm using a switch statement to send them down the right pool so I figure after it identifies the host I could use the command SSL::profile command to add the appropriate SSL cert. However I'm getting an error of "command is not valid in the current event context". Is what i'm trying to do even possible? 
Here is a simplified version of the iRule i'm trying to use:&nbsp;
when HTTP_REQUEST {&nbsp;
switch -glob [HTTP::host] {&nbsp;
"; {&nbsp;
    SSL::profile CLIENT_PROFILE_SSL_ONE&nbsp;
}&nbsp;
default {&nbsp;
}&nbsp;
}&nbsp;
}&nbsp;&nbsp;
Thanks to any and all replies! &nbsp;

bamchenry · Answer

An iRule isn't necessary. You're looking for a feature built-in to the TLS protocol called SNI. You can read more about how to use it on BIG-IP here:
https://support.f5.com/csp/article/K13452&nbsp;

shipszky · Answer

I have the same setup in my environment, using multiple certificates. As Brian mentioned above the feature your looking for is called SNI. Assign the SSL Profiles you're wanting to use to the VS. The F5 will then select the profile to be used accordingly. 
The only gotcha is one of the SSL profiles has to be the SNI Default. This is basically for older browsers that don't support SNI, they will always default to this certificate no matter the host name (honestly we've used this for a while and have never received a complaint). 
The "SNI Default" checkbox is found in the SSL Profile configuration. (Local Traffic &gt; Profiles &gt; SSL)
EDIT: I think it's noteworthy to mention I also have an iRule to connect to different pools on the same VS that's using SNI to handle multiple certificates. 
when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "sni1.test.com" { pool sni1test }
        "sni2.test.com" { pool sni2test }
    }
}

brepav123_22459 · Answer

Thats exactly what I was looking for. Much appreciated! &nbsp;

Forum Discussion

Multiple SSL Certs from one Virtual Server

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Three Ways to Specify Multiple Ports on a Virtual Server

iControl REST Cookbook - Virtual Server (ltm virtual)

virtual server config

Check a Virtual Server's SSL Status

multiple certificate on one virtual server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS