SNI - no SSL profile = drop/reset

Question

Hi!&nbsp;
I've got SNI working properly on my LTM virts. It's working fine, but some of the sites we host through that virt don't have SSL. Those sites don't have an SSL profile or certificate to present, so true to SNI, it presents the default SSL profile, which is a wildcard certificate for a different domain. This throws some errors in the visitor's browser, which is expected given the actions that are occurring.&nbsp;
Is there a way that I can have the Big-IP do something different with the connection when there's no matching SSL profile instead of presenting the wrong certificate?&nbsp;
Thanks!&nbsp;
Jesse

govind_32899 · Answer

I faced a similar problem . We had a SSL certificate for but when user hitting on XYZ.com they were getting cert error so i created two SSL profile with the same certificate and in one profile i used SNI as and in other profile i used SNI as XYZ.com . Then attached both profile to the VIP

jesse_reinhart_ · Answer

Thanks for the response! What I'm looking for is actually to see if the VIP can drop traffic if there's not an SSL profile/certificate for that domain, rather than providing the default SSL profile since that causes a certificate mismatch warning.

stanislas_piro2 · Answer

Hi,&nbsp;
You can both look at this thread! &nbsp;
Kai Wilke provided a solution for your question!&nbsp;

Forum Discussion

SNI - no SSL profile = drop/reset

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Server Profile SNI

Question on configuring SNI clientSSL Profile

How to Troubleshoot SNI

SNI Routing with DNS Lookup

Serverside SNI injection iRule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS