For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony_891's avatar
Anthony_891
Icon for Nimbostratus rankNimbostratus
Sep 11, 2013

Redirect to correct SSL Cert Site

I have a site say it is https://www.xyz.org and I have a certificate for www.xyz.org. I need to redirect requests coming in for https://www.xyz.com to https://www.xyz.org without getting an ssl certificate error. I took an easy approach by using the following but this did not work.

 

when HTTP_REQUEST { if { [HTTP::host] contains ".com" }{ HTTP::redirect "https://www.xyz.org" } } It gives the certificate error and then if you accept the error and move on it then redirects. I need to do this before it hits the cert.

 

Is there a way to do that? I have not been successful figuring this one out. Thanks for the assist

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

3 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    Sep 11, 2013

    Out side of getting the .com SSL cert you are going to get the error. As SSL negotiation happens before the HTTP request you can not send a HTTP redirect with out first getting the cert error. Now if the customer is using TLS there is a Host name if the negotiation allowing the client to tell the server what cert they are excepting, you can then tell the f5 to return the correct cert to the customer.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 11, 2013

    The problem, unfortunately, happens before layer 7 (HTTP). The x509 subject of the certificate that the server is presenting to the client (www.xyz.org) does not match what the client is asking for (www.xyz.com), so the browser complains. There are a few options:

     

    1. Subject Alt Name (SAN) certificate - where you take a single certificate and add multiple subjectAltNames to it (one for each server name). You can purchase these from any CA vendor.

       

    2. Server Name Indicator (SNI) - this is a TLS extension that allows you to add multiple client SSL profiles to the (v11) VIP. You'll need two cert/key pairs (www.xyz.com and www.xyz.org), one for each client SSL profile. The extension allows the BIG-IP to switch the client SSL profiles during the SSL negotiation based on the server name value that the client sends in the CLIENTHELLO message. This requires TLS, so older clients (WinXP and below) can't use this.

       

    3. Host two VIPs, each with their own client SSL profiles and server certificates. Add a simple redirect iRule to the .com VIP so that all traffic is re-routed to the .org VIP.

       

    You won't be able to get away from requiring a new SAN certificate or two individual certificates.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 11, 2013

    This is a common request. As the SSL session is established before any HTTP is passed, you simply can't do this without having a valid certificate for the .com domain.