SSL client profile based on hostname

 

RE: SSL client profile based on hostname by hamish@ba.com

 

 

Posted By Colin on 05/30/2008 4:44 PM

 

 

This really isn't an issue with iRules or the BIG-IP. This is a protocol issue. There really is no "good" way to make this work, as you have to decrypt the traffic to have the HTTP data available, and by that time you can't choose which SSL profile to use, unless you re-encrypt.

 

 

Colin

 

 

RFC4366 allows this (TLS Extensions) with the Server Name Indication. Apache 2.x does it, so until F5 supports it, you could offload to separate apache instances instead (But you lose the HW assist of the F5 though).

 

 

Hopefully the hw on the F5's is flexible enough to allow the extensions... (It requires a new extended client & server hello message during negotiation)

 

 

H

 

 

 

 

Very interesting... this shows a lot of promise. I couldn't find too much detail on browser support for the TLS extension though. There is a PDF presentation (Click here) which indicates that the only IE version which supports the extension is IE7 on Vista or later. Of course most recent open source browsers seem to support it.

 

 

I'm guessing it won't be a practical solution until there is better IE support. That said, it would still be nice to get F5 to support this. Do you know if there is already a CR noting the request? If so, can you provide it so others can attach cases to it?

 

 

Thanks,

 

Aaron