For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tempsuli's avatar
tempsuli
Icon for Altostratus rankAltostratus
Feb 06, 2020
Solved

SNI Certificate check

Hi,

 

Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom?

 

I have a customer need where there is two different certificates with additional SAN names but they share one similar domain name eg. test.factory.org. They also have different CN's. I would like the system to use the certificate for test.factory.org domain, that has a valid CN for 0365 to work.

 

If the system checks them from top to bottom like in irules it should be fine? Right?

 

BR

 

Teemu

application delivery
LTM
  • Simon_Blakely's avatar
    Simon_Blakely
    Feb 09, 2020

    -----

    When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

    (*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

    If present, go through the following steps:

    (1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

    (2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

    (3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

    (4) If (3) does not match, then use client ssl profile where sni-default is set to true

    -----

     

    So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

     

    The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.

1 Reply

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Feb 09, 2020

    -----

    When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

    (*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

    If present, go through the following steps:

    (1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

    (2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

    (3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

    (4) If (3) does not match, then use client ssl profile where sni-default is set to true

    -----

     

    So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

     

    The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.