Forum Discussion
JustJozef
Cirrus
CirrusSSL server failures on backend with more applications
Hi all,
I am trying to implement SSL server profiles for applications.
Set up is straigtforward. Option in SSL server profile "Server Certificate" is defined to required and "Authenticate Name" contains FQDN of the backend. It works well when on the backend is only one application. But issue start when behind app gateway more applications runs. Then during SSL handshake backend (gateway) provide some default certificate, for example CN=localhost. In such case client (F5 server) reset connection.
Do I have some option to handle such ssl handshakes? It works with default ssl server profile with option "Default SSL Profile for SNI" without "Server Authentication" but I would like to keep only ssl server profiles with defined CN. Default profile will contain some dummy domain.
As example. Backend node is 1.1.1.1 where applications runs (app1.com, app2.com, app3.com, ...).
New TCP connection #1: WAF IP(port) <-> 1.1.1.1(443)
1 1 0.1600 (0.1600) C>SV3.1(135) Handshake
ClientHello
....
SSL Handshake is RST when server provide certificate with CN what doesn't match with SSL server profile.
PeteWhiteEmployee
You can select the serverside SSL profile using the iRule command SSL::profile https://clouddocs.f5.com/api/irules/SSL__profile.html