For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Philip_King_719's avatar
Philip_King_719
Icon for Nimbostratus rankNimbostratus
Feb 18, 2016

Redirect SSL connection to new URL before SSL handshake

I did search for this and saw all the articles that this cannot be done, but have someone insisting that it is possible so I'm asking and hoping that the answer has changed since the last articles I ...
application delivery
iRules
LTM
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Feb 19, 2016

It's not possible 'securely'... If it were available, it would be pretty insecure.

 

The reason is that redirects are done at the HTTP level. SSL/TLS connections provide the transport for that HTTP layer. So until SSL/TLS has completed, there is no stream for the HTTP protocol to work with.

 

As for TLS level redirects... Nope... That would leave you open for a MITM attack. The only safe way would be to keep renewing those certs until they're no longer needed...

 

However you could just get the new company to purchase certs that have both names in them. Then you can just redirect from one name to the other, AFTER the TLS is negotiated with the 'old' name

 

H