SNI for serverssl profile

Hi,

 

I have situation like that:

 

• VS with two clientssl profiles

• https1.test.com - SNI set to https1.test.com, Default SSL Profile for SNI checked
• https2.test.com- SNI set to https2.test.com

• and two serverssl profiles

• server1.test.com - SNI set to server1.test.com, Default SSL Profile for SNI checked
• server2.test.com - SNI set to server2.test.com

• Server with two virtual hosts

• server1.test.com - with certificate for server1.test.com
• server2.test.com - with certificate for server2.test.com

Is there any way to configure VS so when request comes with SNI https1.test.com serverssl profile with SNI server1.test.com and when request comes with SNI https2.test.com serverssl profile with SNI server2.test.com is used?

 

Can it be somehow done in iRule? Maybe it's possible to use one serverssl profile and then change SNI send to server depending on SNI received from client?

 

Any easier way to resolve this?

 

A bit separate question - how BIG-IP verifies that presented server certificate is signed by CAs trusted by BIG-IP? By setting in serverssl Server Authentication:

 

• Server Certificate: require
• Authenticate Name: server FQDN (or rather content of CN filed from certificate)
• Trusted Certificate Authorities: chain file with Root CA and all Intermediates

Seems to be working but I am not sure if this is correct way?

 

Not sure why when chain file contains only Root CA cert and server cert is signed by Intermediate two levels above (Root CA -> Intermediate 1 -> Intermediate 2 -> server cert) connection is still working.

 

Piotr