SSL profile based on Host field .. Is it possible ?

Question

Hi,&nbsp;
&nbsp;I believe it's not possible as F5 should decrypt the HTTPS traffic in order to find out which HOST in the http header.&nbsp;
&nbsp;So, if I have two sub-domains as following, and both of them are terminated on the same VIP. &nbsp;
&nbsp;www.abc.com
&nbsp;xxx.abc.com&nbsp;
&nbsp;and the current/default SSL client profile for this VS is for "www.abc.com" as a Common Name. Server team said that with this certificate the second sub-domain won't work and it should has it's own certificate.&nbsp;
&nbsp;My question is, is it possible to generate a CSR file with "*.abc.com" as a Common Name, get the certificate from CA, and have both sub-domains working fine. if not, what could be the solution ?&nbsp;
&nbsp;Thanks in advance for your support. &nbsp;
&nbsp; 
&nbsp;BR,
&nbsp;Abdul&nbsp;

nathe · Answer

Gbps 
&nbsp;  
&nbsp; F5 supports wildcard certificates. See http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6823.html 
&nbsp;  
&nbsp; Hope this helps, 
&nbsp; N

dlg_23340 · Answer

Another choice is to get an SSL certificate for www.abc.com with a "SAN" or "Subject Alternate Name" for xxx.abc.com.  This would make the cert valid for both www.abc.com and xxx.abc.com.  Depending on the vendor, I've seen certs with as many as 40 SANs on them.

gbps_31870 · Answer

Nathan/dig,&nbsp;
&nbsp;Thanks a lot guys for your valuable inputs ,, Appreciated &nbsp;

hoolio · Answer

You could also look at TLS SNI which allows the client to give a server name indication in the SSL handshake.  This allows the server to select a valid cert.  TLS SNI is supported with an iRule in v10 and natively in v11.1: 
&nbsp;  
&nbsp; sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html 
&nbsp;  
&nbsp; Joel Moses' pre-11.1 iRule: 
&nbsp; https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx 
&nbsp;  
&nbsp; The downside to this approach is that the clients need to support TLS SNI and not all old clients do: 
&nbsp; http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support 
&nbsp;  
&nbsp; If you can't use TLS SNI because of old clients using a wildcard or SAN cert works well. 
&nbsp;  
&nbsp; Aaron

hoolio · Answer

...

Forum Discussion

SSL profile based on Host field .. Is it possible ?

5 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

TCPDUMP in BigIP for traffic coming from distrbuited cloud.

Catch Dynamic CRL Errors and Return Friendly Page

Bot Defense causing a lot of false positives

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

Adding my Product and support to bigF5 account

Related Content

Logging/Blocking possible prompt injection

Stop Using the Base TCP Profile!

TLS server_name extension based routing without clientssl profile

Crafting a Cloud-Based Antifragile Cyber Resiliency Strategy

Demystifying Time-based OTP