For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gbps_31870's avatar
Gbps_31870
Icon for Nimbostratus rankNimbostratus
Jul 26, 2012

SSL profile based on Host field .. Is it possible ?

Hi,

 

 

I believe it's not possible as F5 should decrypt the HTTPS traffic in order to find out which HOST in the http header.

 

 

So, if I have two sub-domains as following, and both of them are terminated on the same VIP.

 

 

www.abc.com

 

xxx.abc.com

 

 

and the current/default SSL client profile for this VS is for "www.abc.com" as a Common Name. Server team said that with this certificate the second sub-domain won't work and it should has it's own certificate.

 

 

My question is, is it possible to generate a CSR file with "*.abc.com" as a Common Name, get the certificate from CA, and have both sub-domains working fine. if not, what could be the solution ?

 

 

Thanks in advance for your support.

 

 

 

BR,

 

Abdul

 

application delivery
dev
devops
iRules

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 27, 2012
    Gbps

     

     

    F5 supports wildcard certificates. See http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6823.html

     

     

    Hope this helps,

     

    N
  • dlg_23340's avatar
    dlg_23340
    Icon for Cirrus rankCirrus
    Jul 27, 2012
    Another choice is to get an SSL certificate for www.abc.com with a "SAN" or "Subject Alternate Name" for xxx.abc.com. This would make the cert valid for both www.abc.com and xxx.abc.com. Depending on the vendor, I've seen certs with as many as 40 SANs on them.
  • Gbps_31870's avatar
    Gbps_31870
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2012
    Nathan/dig,

     

     

    Thanks a lot guys for your valuable inputs ,, Appreciated

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 30, 2012
    You could also look at TLS SNI which allows the client to give a server name indication in the SSL handshake. This allows the server to select a valid cert. TLS SNI is supported with an iRule in v10 and natively in v11.1:

     

     

    sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature

     

    https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

     

     

    Joel Moses' pre-11.1 iRule:

     

    https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx

     

     

    The downside to this approach is that the clients need to support TLS SNI and not all old clients do:

     

    http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support

     

     

    If you can't use TLS SNI because of old clients using a wildcard or SAN cert works well.

     

     

    Aaron