Forum Discussion

Cirrostratus

Apr 02, 2018

redirect the pool based on certname

Folks Can someone guide me the procedure for configure multiple certificate name to redirect to specific pools without doing any ssl offloading on the F5 VS I want to redirect the traffic b...

Cumulonimbus

Apr 03, 2018

Hi,

Do you expect that the load balancing decision is done based on client certificate?

TLS protocol is simple:

Client                                               Server

      ClientHello                  -------->
                                                      ServerHello
                                                     Certificate*
                                               ServerKeyExchange*
                                              CertificateRequest*
                                   <--------      ServerHelloDone
      Certificate*
      ClientKeyExchange
      CertificateVerify*
      [ChangeCipherSpec]
      Finished                     -------->
                                               [ChangeCipherSpec]
                                   <--------             Finished
      Application Data             <------->     Application Data

As you can see, the client doesn't send it's certificate until the server doesn't request it. If you don't want SSL offloading, the load balancing method must be done just after the client sent the first packet, but the client certificate is sent in the 2nd client packet.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)