For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CraigMo's avatar
CraigMo
Icon for Nimbostratus rankNimbostratus
Dec 03, 2015

rewriting client ssl server name

If a user enters, for example, is there a way to intercept or manipulate the ssl handshake such that the "" is changed to "https://abc.123.com"? Currently the valid cert on the F5 is for abc.123.co...
application delivery
BIG-IP
iRules
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Dec 03, 2015

Hi,

TMOS supports both certificates with 
subject alternative names
(aka SAN certificates). So just request a new cert containing not only the common name in the subject but also the common name and additional names in the subject alternative names extension.

In addition the new TMOS version suport 
server name indication
(aka SNI). Its an extension to TLS which is putting the expected CN into the clients SSL hello message. This information will be used to pick the right client-ssl profile.

Just use multiple client-ssl profiles in context of your virtual server definition supporting the different hostnames you expect.

Thanks, Stephan