For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Allan_ivari_304's avatar
Allan_ivari_304
Icon for Nimbostratus rankNimbostratus
Nov 02, 2018

use irule to force SSL profile based on URL

i am new to F5, and this question maybe very basic. thanks in advance for whoever is helping. 🙂 my situation is: we have 2 web server using same VIP base on different URL, i am pointing them diffe...
devops
iRules
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 04, 2018

https://support.f5.com/csp/article/K13452

Well, yes. The easiest way to support different client side certificates is to use SNI switching. You create multiple client SSL profiles, each with a different Server Name attribute (that should match the defined certificate CN or SAN), and then include all of the client SSL profiles in a single VIP. Based on the SNI value in the client's ClientHello TLS handshake message, the BIG-IP will switch between the client SSL profiles.

Swapping the server side SSL profile is also pretty straight forward. You'd just add the 

SSL::profile [profile_name]

command to an iRule event. Ref: https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx, and you can even do this in a CPM policy.

But keep in mind for client-side SNI switching, the client SSL profiles all have to be identical, except for the Server Name attribute and cert/key. If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult.