Forum Discussion
Joel_Moses
Mar 28, 2011Nimbostratus
TLS Server Name Indication iRule
http://devcentral.f5.com/wiki/default.aspx/iRules/TLS_ServerNameIndication.html
I posted the iRule above for discussion purposes. It decodes the TLS SNI extension field in an SSL/TLS negotiation and then attempts to dynamically switch the ClientSSL profile based on what it sees in this field. Essentially, this will allow you to use multiple certificates with a single VIP, dynamically switching them when the browser client changes the host it's requesting.
I'm intending to add support for changing pools as well -- that means that it's possible to support multiple certificates and multiple pools via a single VIP behind TLS encryption. But I thought I'd get this earlier proof of concept out there so people can see it and discuss it.
Joel
- Holy "Moses" just awesome :)
- Joel_MosesNimbostratusThanks, guys!
- Colin_Walker_12Historic F5 AccountPiling on here: Wicked cool stuff. Keep up the good work.
- JRahmAdminPosted By Joel Moses on 03/30/2011 03:37 PM
- Joel_MosesNimbostratusThat's great! Let me know if you guys need a sounding board for this.
- Colin_Walker_12Historic F5 AccountWe'll definitely let you know if any specific questions bubble up. We try and ping the community whenever we can to get opinions on that kind of stuff when we get the chance.
- Kevin_Davies_40NacreousI realise that this is 4 months down the track but would an RFE on SNI/SSL profile selection go astray? This will become very common in the future.
FYI: The original article in the first post seems to have gone astray.
- hooleylistCirrostratusHi Kevin,
- MauzAltostratusI have a server with 1024-bit certificate and i need to migrate to 2048 bit certificate. Can i use the TLS SNI feature in version 11.2 to help in this migration?
- Kevin_StewartEmployeeThe TLS Server Name extension allows the client to specify the server name in the CLIENTHELLO message, so SNI wouldn't work for you if both server certs had the same name. If both server certs are signed by the same issuer, or rather if both certs are signed by CAs that the clients explicitly trust, then you shouldn't have to do anything other than just replace the server cert.
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects