Forum Discussion
SSL::PROFILE in HTTP_REQUEST
- Mar 17, 2017
What version of firmware are you using on your F5?
The SSL profile cannot be changed after SSL negotiation has begun on the F5. By the time processing reaches the point of an SSL event, e.g.
, the profile has already been chosen and can't be changed.CLIENTSSL_CLIENTHELLO
In the
event, the SSL negotiation has already taken place and the user would have already received an SSL error if they were going to see one.HTTP_REQUEST
If I understand what you're attempting to accomplish, there are a few options.
Multiple profilesSNI certificate selection prior to 11.6 only inspects the CN of the certificate subject. An option in 11.5 and before is to create a separate SSL profile for each entry in the SAN extensions with the server name field populated in the profile.
Upgrade the F5Starting in 11.6, the F5 performs inspection based the RFC's description on how a browser should determine if a certificate name is valid. If there is a SAN extension, that is to be inspected and the subject CN ignored. However, most browsers will accept a subject CN or SAN extension match. I have not tested if the F5 ignores the CN in the presence of a SAN extension in 11.6 or after.
Inspect HelloAnother option is to inspect the Hello packet directly using
andTCP::collect
event, but that is resource intensive and complicated. I won't go into details, but it is an option.CLIENT_DATA
What version of firmware are you using on your F5?
The SSL profile cannot be changed after SSL negotiation has begun on the F5. By the time processing reaches the point of an SSL event, e.g.
CLIENTSSL_CLIENTHELLO
, the profile has already been chosen and can't be changed.
In the
HTTP_REQUEST
event, the SSL negotiation has already taken place and the user would have already received an SSL error if they were going to see one.
If I understand what you're attempting to accomplish, there are a few options.
Multiple profilesSNI certificate selection prior to 11.6 only inspects the CN of the certificate subject. An option in 11.5 and before is to create a separate SSL profile for each entry in the SAN extensions with the server name field populated in the profile.
Upgrade the F5Starting in 11.6, the F5 performs inspection based the RFC's description on how a browser should determine if a certificate name is valid. If there is a SAN extension, that is to be inspected and the subject CN ignored. However, most browsers will accept a subject CN or SAN extension match. I have not tested if the F5 ignores the CN in the presence of a SAN extension in 11.6 or after.
Inspect HelloAnother option is to inspect the Hello packet directly using
TCP::collect
and CLIENT_DATA
event, but that is resource intensive and complicated. I won't go into details, but it is an option.Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com