Forum Discussion
Piotr_Lewandows
Altostratus
Altostratusserverssl, SNI, vHosts
Hi,
I wonder how to solve such issue:
Target server is using vHost and HTTPS Each vHost has separate certificate for FQDN (no Wildcard or SAN) Traffic is passed to target servers via one...
raduioncu_16351
Nimbostratus
NimbostratusHi Piotr,
It is very likely you will need iRules to achieve this, as I don't think the ServerSSL profile supports SNI. We basically read the SSL extension in CLIENTSSL_HANDSHAKE and keep it in the session table with the SSL::sessionid as the key (value is SSL::extensions -type 0), and then inserting it in SERVERSSL_CLIENTHELLO_SEND.
This is only a problem of course if your servers also serve different SSL certs using SNI so this solution is more for a niche problem. If your servers don't actually run SNI themselves, then sending the SNI value in the CLIENTHELLO is a moot point.
Radu
dragonflymrCirrostratus
Hi, I am sure that serverssl profile supports SNI - of course as a client, so it means it can send SNI in client hello when starting SSL Handshake - then target server supporting SNI can choose correct certificate for SSL Handshake. Problem here is how correct serverssl profile can be slected when connecting with target server. Piotr- raduioncu_16351Hi Piotr, You don't need multiple ServerSSL profiles - just the default one. You then use the iRule to manually insert the SNI value in the client hello when establishing the serverside connection.
- dragonflymrHi, Well, with iRule for sure everything is possible :-). I was just curious if this is possible as well using just GUI and ssl profiles - like it's possible with clientssl. As far as I understand your answer it's not really possible this way? Piotr
