For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

PK_Bhatia's avatar
PK_Bhatia
Icon for Nimbostratus rankNimbostratus
Jun 30, 2014

SAN name is not working

I am trying to use a new cert which has alternate name as abc.com and www.abc.com. I am also using SNI with name xyz.com which is default SNI for the SSL profile. I can see both the entries (abc.com ...
application delivery
management
performance
security
TMOS
TMSH
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 30, 2014

The default, if nothing matches, in a SAN certificate, should be whatever the subject name is (versus the subject alt names).

Let's say you have a SAN cert with a subject of xyz.com and two subjectAltNames of abc.com and www.abc.com.

You've applied this single SAN cert to a single client SSL profile and applied that to your VIP.

A user reaches your site with **xyz.com** and everything is good.
A user reaches your site with **abc.com** and everything is good.
A user reaches your site with **www.abc.com** and everything is good.

A user reaches your site with **foo.example.com and** and the match fails.

This is to be expected. In an SNI configuration, the "default" option indicates that a given client SSL profile should be chosen if none of the server name strings match the client's request. If that default client SSL profile and corresponding certificate still doesn't match the client's request, then you'll have a mismatch condition.