Is there anyway to select or change the SSL client profile based on hostname? If is easy to find the hostname in an HTTP_REQUEST but then how could you set the SSL client profile? I am trying to have one VIP for multiple SSL sites each with different SSL certificates for each. Thanks in advance.

Well, you have a bit of a "Which came first, the chicken or the egg?" problem here. How can you unencrypt the data to see the hostname if you don't have the right certificate to begin with. Anotherwards, you can't change the client profile after the client SSL session has started.

There actually is a way though, but it involves thinking a little unconventionally. If you allow someone to hit an HTTP page first (on an unencrypted or known-SSL channel prior to redirecting them), and set up a session entry for them based on their source IP address in an iRule, you could retrieve this session entry later at the beginning of an SSL session and use the SSL::profile command to choose the ssl profile you're going to use. Note that it's far from foolproof, and may not work for megaproxies and NATs, but it does sorta work.

thanks for the help. I figured as much.

Has anyone tackled this and made it work? If anyone has a sample configuration that would be great.

This really isn't an issue with iRules or the BIG-IP. This is a protocol issue. There really is no "good" way to make this work, as you have to decrypt the traffic to have the HTTP data available, and by that time you can't choose which SSL profile to use, unless you re-encrypt. Colin

SSL client profile based on hostname

21 Replies

hoolio
Cirrostratus
Mar 03, 2009
From LTM's perspective it doesn't make a difference. LTM will use either type of cert to decrypt the SSL. There is a difference in functionality though:

wildcard cert *.example.com

valid for: www.example.com, ftp.example.com, mail.example.com and any other subdomain of example.com

not valid for: example.com

SAN cert:

valid for www.example.com, www.example.co.uk, www.example.net, www.example.org

not valid for any domain that isn't explicitly specified

Also note that there might not be universal browser support for SAN's. I haven't seen issues with modern browser versions, but it's something to look into.

Aaron
steve_88008
Nimbostratus
Mar 03, 2009
cool, thanks for your time and knowledge Aaron!
Danny_Trinh_197
Nimbostratus
Mar 03, 2009
Can we use multiple certs for single VIP, but wild card? For example:

abc.example.com, cdf.example.com, efg.example.com
steve_88008
Nimbostratus
Mar 03, 2009
you can't assign more than one cert (client or server) to a VIP. That is the purpose of the wildcard cert or a cert that uses SAN.
hoolio
Cirrostratus
Mar 03, 2009
Hi Danny,

See my last post. LTM does support using wildcard certs. As far as I'm aware it should handle just about any valid PEM formatted cert.

Aaron
scot_hartman_82
Nimbostratus
May 29, 2009
Can you combine the two?

Can you get a SAN cert that has a wildcard in it?

Get a SAN cert that is valid for *.example.com and example.com?

Thx, Scot
Jason_Keating
Altostratus
Jul 21, 2010
Hi all,

Anyone know if support for RFC4366 (SNI) is available yet?

I've been unable to find anything on ask.f5.com with the strings RFC3546, RFC4366 or CR 94903

Thanks

J
JRahm
Admin
Jul 21, 2010
It's not natively supported, but you can craft an iRule to do so.
Joel_Moses
Nimbostratus
Mar 28, 2011
Here's an iRule for supporting SNI. Make sure you read the notes closely -- it's not supported on all browsers.

http://devcentral.f5.com/wiki/defau...ation.html
Nic_67118
Nimbostratus
Sep 27, 2011
Hello,

Does any one know of a way within the iRule to kick out non supported browsers/OSs? I know they get up to the point in the iRule that accept connections from TLS 1.0 - 1.2, So I am guessing there is something in the payload or the length of the payload is different, that the iRule does not like.

I would basically just like to have SNI work for those browsers that do support it, and have the other go to the default SSL profile attached to the VS.

Opinions?