For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CraigMo's avatar
CraigMo
Icon for Nimbostratus rankNimbostratus
Dec 03, 2015

rewriting client ssl server name

If a user enters, for example, is there a way to intercept or manipulate the ssl handshake such that the "" is changed to "https://abc.123.com"? Currently the valid cert on the F5 is for abc.123.co...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Dec 03, 2015

Hi Craig,

 

the SSL-negotiation MUST be completed before the client sends its first HTTP request. So there is really no way, to inspect, change or even redirect the HTTP request before the certificate error message appears. This is a core security mechanism of HTTPS to avoid Man-in-the-Middle attacks and can't be turned of (and shouldn't!).

 

Although SNI (Server Name Indication) may send the certificate subject to the server during a SSL-handshake. But even SNI can't be abused to redirect the client. It would be too dangerous...

 

Cheers, Kai