strange ssl question

Question

hi 
&nbsp;  
&nbsp; this is a bit of a strange question! hopefully it will make sense... 
&nbsp;  
&nbsp; i know there doesn't appear to be a clean way of dynamically choosing SSL certificates via the same virtual server, so i'm trying to think of an atlernative way of providing SSL without receiving an error. would something like this work?... 
&nbsp;  
&nbsp; - client goes to http://live.com OR https://live.com 
&nbsp; - big ip redirects their request to https://TEST.com 
&nbsp; - client browser still shows https://live.com in their address bar but the encryption is between the client and https://TEST.com certificate 
&nbsp;  
&nbsp; i guess this is basically masking the URL in the address bar! obviously, if the client was to inspect the certificate it would say test.com and not match what they have in their address bar 
&nbsp;  
&nbsp; i know this sounds a bit crazy, but we have a test department who will be accessing multiple sites behind a single virtual server (because i don't want to create lots of individual virtual servers etc for testing). they need to test SSL encryption for each of these sites. as it's for testing, the obvious way is to achieve this is to add a certificate to the virtual server which will simply present an error because the virtual server does not match the web site they typed in their address bar, which the client can ignore because this is only for testing, but it would be nice if i could avoid presenting them with a certificate mismatch error 
&nbsp;  
&nbsp; i hope that made sense 
&nbsp;  
&nbsp; thanks

hoolio · Answer

Hi Skuba 
&nbsp;  
&nbsp; I don't think what you're describing with trying to mask from the client the SSL connection between the client and the VIP would really work.  If you want the client to establish an encrypted connection with the VIP, you'd need them to connect to https://... or redirect them from another URL to https://...  Either way, the address bar in the browser will show where they are connected to.  If the host from the address bar https://mysite.example.com/path/to/file.ext doesn't match the CN or subject alternate name on the certificate, the browser will generally show a warning. 
&nbsp;  
&nbsp; You could use arbitrary certs on the web server(s) and have the LTM to pool connection encrypted.  The client wouldn't have any insight into anything after their connection to the VIP.  I don't think this solves your problem of trying to allow clients to test multiple SSL connections on a single VIP.   
&nbsp;  
&nbsp; If they are test clients, could you install a custom root certificate in the browser which is valid for the domain you're testing on?  If so, you could create your own cert which is valid for *.test.com, test.com, *.live.com and *live.com. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Jeff - May 2026 Featured F5er

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

Protecting NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 with ASM

where to download older F5 OS versions

Errors with AS3 3.56.0 with F5 17.5.1.6

ssh: Common Criteria mode initialized

LTM Policy for HTTP Host rewrite

Related Content

Question about healthchecks

SSL Profiles Part 6: SSL Renegotiation

SSL Orchestrator Service Extensions: DoH Guardian

Introduction to BIG-IP SSL Orchestrator

UCS Encryption Question