Forum Discussion
NimbostratusSSL Profile (Client) per host
Hello,
I have multiple hosts pointing at the same public ip (virtual server). Is it possible to use a different SSL Profile (Client) per host using irules?
Eg. i have virtual server called demo with a public ip assigned to it. I have abc.demo.com, xyz.demo.com pointed to this virtual server. If i assign a SSL profile to the virtual server, it will get assigned to both the domains. I want to use a abc profile for abc.demo.com and xyz profile for xyz.demo.com. Please advise.
Thanks in advance.
7 Replies
LyonsG_85618Cirrostratus
I don't think this is possible. The SSL negotiation is done before the HTTP processing so by the time the VIP can identify the domain name it is already too late as the client SSL profile is already in use.
Mike_MaherWhat version are you running?- Kevin_Stewart
Employee
I would concur with LyonsG. The SSL handshake happens before an HTTP host value can be evaluated. Your best options are a wildcard or SAN cert on a single client SSL profile, or Server Name Indicator (SNI) if you're running at least version 11 and all clients support TLS (> WinXP and IE6).
PeteWhiteYou can check the HTTP host header and then call SSL Renegotiation to renegotiate the SSL and use the required SSL profile. Worth checking out anyway
- Kevin_Stewart
By the time you can evaluate an HTTP Host header, AN SSL negotiation has already happened, and if the first SSL profile doesn't have a cert that matches what the user is asking for, they'll get an error. There's really nothing you can do short of the above recommendations to present the right cert to the user based on the request.
Kevin_Davies_40Nacreous
Server Name Indication or SNI for short was created exactly to solve this problem. It presents the host name as part of the SSL negotiation. However the client and the BIGIP have to support this feature. The details on how to configure this are below.
