Forum Discussion
Sam_Parkes_1110
Nimbostratus
NimbostratusSSL::profile switching - per host name requested
I'm trying to get different URL host names to negotiate with different SSL profiles as they go through a single VIP on the F5. We have several URLs we want to point to the same external IP (by DNS), where our Firewalls NAT to a single VIP address on the F5, that part is straight forward. But we would then open SSL pages which would require the client's browser to negotiate with a seperate SSL profile and therefore different certificate for each URL host name. I'm not certain this is possible - but wondered if an iRule could detect the HTTP::host and direct the request to an SSL::profile without the browser complaining?
The examples on the site are:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] eq $specific_ip ]} {
SSL::profile host1_profile
}
but this tests on client IP address, we would need to test on the HTTP:host name.
Any help would be appreciated.
Thanks,
Sam Parkes.
GTA
- Unfortunately this is currently not possible. SSL negotiates the encryption certificate before the HTTP request is sent.
hoolioCirrostratus
I think this post has the evolution of this question (Click here).
The practical answer for current versions is you can only support one certificate per virtual server. A wildcard cert for *.example.com would allow you to host a.example.com and b.example.com on the same VIP using one cert. Using Subject Alternate Names (SANs) should allow you to host abc.com and xyz.com (or app.mysite-ip.com.aa and app.mysite-ip.com.bb) on the same VIP with one cert. At some point F5 and browsers will probably support the server_name extension for TLS to allow support for multiple certs on a single IP address and port. To request F5 support this extension, you can open a case with F5 and ask them to attach it to CR94903.
Aaron
