Forum Discussion

tempsuli's avatar
tempsuli
Icon for Altostratus rankAltostratus
Feb 06, 2020

SNI Certificate check

Hi,   Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom?   I have a customer need where there is two different certificates wit...
  • Simon_Blakely's avatar
    Feb 09, 2020

    -----

    When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

    (*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

    If present, go through the following steps:

    (1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

    (2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

    (3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

    (4) If (3) does not match, then use client ssl profile where sni-default is set to true

    -----

     

    So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

     

    The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.