Forum Discussion

Altostratus

Feb 06, 2020

SNI Certificate check

Hi, Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom? I have a customer need where there is two different certificates wit...

application delivery

LTM

Simon_Blakely
Feb 09, 2020
-----
When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:
(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.
If present, go through the following steps:
(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server
(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile
(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile
(4) If (3) does not match, then use client ssl profile where sni-default is set to true
-----

So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.

Simon_Blakely

Employee

Feb 09, 2020

-----

When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

If present, go through the following steps:

(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

(4) If (3) does not match, then use client ssl profile where sni-default is set to true

-----

So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SNI Certificate check

Recent Discussions

Reporting Help Needed

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Related Content

Use iRule to control choosing which SSL certificate to use based on SNI

SSL Orchestrator Use Case: Inbound SNI Switching

Re: Management Certificate

Certifications for security professionals

Certificate Expiry Email alert configuration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS