Forum Discussion
SNI Certificate check
Hi,
Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom?
I have a customer need where there is two different certificates with additional SAN names but they share one similar domain name eg. test.factory.org. They also have different CN's. I would like the system to use the certificate for test.factory.org domain, that has a valid CN for 0365 to work.
If the system checks them from top to bottom like in irules it should be fine? Right?
BR
Teemu
-----
When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:
(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.
If present, go through the following steps:
(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server
(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile
(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile
(4) If (3) does not match, then use client ssl profile where sni-default is set to true
-----
So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).
The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.
- Simon_BlakelyEmployee
-----
When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:
(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.
If present, go through the following steps:
(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server
(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile
(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile
(4) If (3) does not match, then use client ssl profile where sni-default is set to true
-----
So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).
The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com