Forum Discussion

Gbps_31870's avatar
Gbps_31870
Icon for Nimbostratus rankNimbostratus
Jul 26, 2012

SSL profile based on Host field .. Is it possible ?

Hi,     I believe it's not possible as F5 should decrypt the HTTPS traffic in order to find out which HOST in the http header.     So, if I have two sub-domains as following, and both of t...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jul 30, 2012
You could also look at TLS SNI which allows the client to give a server name indication in the SSL handshake. This allows the server to select a valid cert. TLS SNI is supported with an iRule in v10 and natively in v11.1:

 

 

sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature

 

https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

 

 

Joel Moses' pre-11.1 iRule:

 

https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx

 

 

The downside to this approach is that the clients need to support TLS SNI and not all old clients do:

 

http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support

 

 

If you can't use TLS SNI because of old clients using a wildcard or SAN cert works well.

 

 

Aaron