K-Dubb
Mar 12, 2019Nimbostratus
SNI
Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requir...
Set up VIP targetted VIP and use a traffic policy.
First VIP listens on 443 and had has no ssl profiles, snat or http profile. It only has a local traffic policy.
This policy will forward traffic to a targetted vip (1 vip per client ssl profile) based on the SNI name in the TLS client hello.
Per targetted VS you have a client ssl profile with the correct certificate and ciphers, http profile.
Some useful resources:
https://devcentral.f5.com/articles/lightboard-lessons-vip-targeting-vip
https://devcentral.f5.com/articles/sni-routing-with-big-ip-31348