Forum Discussion
nassahla_65866
Nimbostratus
NimbostratusSSL Traffic help.... ?????
Quick question folks. we are running LTM Version 10. Just curious we acquired an ssl certificate base on https://abcd.com, which works just fine when one tries to access the url using the FQDN, however it throws a certificate error when attempting to access the url, using https://1234.com (ip address) how does the ltm process ip address/FQDN Relative to certificates....any information will help.... thanks
6 Replies
L4L7_53191This isn't really the LTM; it's more how certificates and browsers work. Your certificate is bound to your FQDN, so the browser will throw a name mismatch warning if you try and access it via any other hostname. There's no work around to this really, as the LTM serves up your certificate which has your domain name associated with it, not the IP.
-Matt
smp_86112Cirrostratus
I wonder if a certificate can use an IP address as a Subject Alternate Name? If it can, that would be a way to generate a single cert bound to multiple names. I know we have done this with hostnames, just never tried it with an IP address for the name. I don't see why it wouldn't work.
hoolioAs Matt said, LTM doesn't verify the HTTP host header value that the client uses to connect to an SSL VIP, unless you explicitly configure this with HTTP classes or iRules.
You could either separate the two FQDN's so they resolve to separate IP addresses to use separate VIPs or get a single SSL cert which is valid for both FQDN's and use a single VIP.
Edit: I didn't notice that you wanted to handle a host name and an address.
Aaron- nassahla_65866That is what i thought .. thanks a bunch...
- nassahla_65866I am just getting into the upper layers .. for my clarification Is then accurate to conclude what ever value i type IP or FDQN on my browser that is the value that will be presented to the end device may it be a server or an ltm on the other side... ?
- hoolioWhen a URL is accessed, the browser sets the HTTP host header value to the domain in the URL. So if the URL is an IP address, the host header is set to an IP address. When the server (LTM in this case) sends the server cert, the browser checks the cert subject against the domain it made the request to. If the two don't match, the browser generates a mismatched cert warning.
Here are two example requests using curl which show the different HTTP host header values:
$ curl -v 'http://www.google.co.uk/advanced_search?q=my+query&hl=en'
* About to connect() to www.google.co.uk port 80 (0)
* Trying 66.102.9.105... connected
* Connected to www.google.co.uk (66.102.9.105) port 80 (0)
> GET /advanced_search?q=my+query&hl=en HTTP/1.1
> User-Agent: curl/7.19.6 (i686-pc-cygwin) libcurl/7.19.6 OpenSSL/0.9.8l zlib/1.2.3 libidn/1.16 libssh2/1.2
> Host: www.google.co.uk
> Accept: */*
>
$ curl -v 'http://66.102.9.105/advanced_search?q=my+query&hl=en'
* About to connect() to 66.102.9.105 port 80 (0)
* Trying 66.102.9.105... connected
* Connected to 66.102.9.105 (66.102.9.105) port 80 (0)
> GET /advanced_search?q=my+query&hl=en HTTP/1.1
> User-Agent: curl/7.19.6 (i686-pc-cygwin) libcurl/7.19.6 OpenSSL/0.9.8l zlib/1.2.3 libidn/1.16 libssh2/1.2
> Host: 66.102.9.105
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=ISO-8859-1
< Transfer-Encoding: chunked
< Cache-Control: private, max-age=0
< Date: Fri, 19 Mar 2010 08:08:20 GMT
< Expires: -1
< Server: gws
< Set-Cookie: SS=Q0=bXkgcXVlcnk; path=/search
< X-XSS-Protection: 0
Aaron
