Forum Discussion
Nimbostratusrewriting client ssl server name
If a user enters, for example, is there a way to intercept or manipulate the ssl handshake such that the "" is changed to "https://abc.123.com"? Currently the valid cert on the F5 is for abc.123.com so when a user connects with they receive a cert error. I was wondering if there was a way to change the client's request from to https://abc.123.com.
2 Replies
- Kai_Wilke
MVP
Hi Craig,
the SSL-negotiation MUST be completed before the client sends its first HTTP request. So there is really no way, to inspect, change or even redirect the HTTP request before the certificate error message appears. This is a core security mechanism of HTTPS to avoid Man-in-the-Middle attacks and can't be turned of (and shouldn't!).
Although SNI (Server Name Indication) may send the certificate subject to the server during a SSL-handshake. But even SNI can't be abused to redirect the client. It would be too dangerous...
Cheers, Kai
StephanMantheyNacreous
Hi,
TMOS supports both certificates with
(aka SAN certificates). So just request a new cert containing not only the common name in the subject but also the common name and additional names in the subject alternative names extension. In addition the new TMOS version suportsubject alternative names
(aka SNI). Its an extension to TLS which is putting the expected CN into the clients SSL hello message. This information will be used to pick the right client-ssl profile. Just use multiple client-ssl profiles in context of your virtual server definition supporting the different hostnames you expect. Thanks, Stephanserver name indication
