Forum Discussion
NimbostratusUsing multiple SSL Profiles on a single virtual server
We are trying to configure a virtual server to serve multiple HTTPS sites. We are getting an error when trying to save the virtual server properties.
"0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server"
I have following the details in this article: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
I have 2 SSL profiles. Both issued from the same certificate authority. Both certificates and keys are installed on this LTM. I have 1 profile check marked as the default SSL profile for SNI.
The one thing I am questioning..... both certificates are wildcard certs. *.whatever.org and *.something.org. In the SSL profile in the Server Name field I have put the common name from the cert called: *.whatever.org
Any help would be much appreciated.
11 Replies
- nitass
Employee
can you post the clientssl profiles configuration?
tmsh list ltm profile client-ssl (name) 
Mike_Cronquist_Yes, both client SSL profiles are exactly the same except for the cert and key.
Both certs are issued from DigiCert. Both certs are wildcard.
- *.xyz.something.org (Default SNI)
- *.whatever.org
Has anyone been successful using more than 1 SSL profile on a virtual server?
Greg_Robinson_1Cirrus
I think the cleanest solution may be to create another VIP and use 1 SSL profile per VIP, knowing that you will need to make DNS changes.
cornelsen_16577Have you been able to resolve the issue? I am facing the same.
Stanislas_Piro2Cumulonimbus
To configure multiple Client ssl profiles on one virtual server, you need to configure "Server name" configuration on all profiles
In the example profile clientssl_something
- certificate : wildcard_something
- key : wildcard_something
- Chain : DigiCert
- Default SNI : Yes
- Server Name : *.xyz.something.org
profile clientssl_whatever
- certificate : wildcard_whatever
- key : wildcard_whatever
- Chain : DigiCert
- Default SNI : No
- Server Name : *.whatever.org
Nilesh_Kahar_24Hi Stanislas,
Assigning multiple profiles to VIP will have any impact on existing services? Please help clarifying my doubt.
- Stanislas_Piro2If you have doubt, create new profiles, one new Virtual server and try it... SNI (Server Name indication) is a solution to reply with the expected certificate based on the Server Name field in the client Hello request... The browser will send this field based on the requested URL (https://www.google.com/path will send SN www.google.com) This feature is compatible with every recent browser (not compatible with IE/Windows XP) In my example of configuration, I defined a Default SNI profile used if the browser does not send server name matching any profile.
- awu_7490
We ran into the same error this morning but for a different reason. The virtual server in question also have multiple SSL client profiles attached, one is for a wildcard cert and the other two are not. We were replacing the non-wildcard certs, and at the same time created new SSL client profiles. During this step, in the new SSL client profile, I changed the Cipher setting to exclude certain cipher suites to be used, but I didn't make the same change for the profile for the wildcard cert, as there is no cert change there. BIG-IP wouldn't accept the new client profiles until all three client profiles to attach to this VS has the same cipher string setting.
san2hosh_306591Facing the same issue. Is their any other way to resolve this issue.
- awu_7490
Check article K13452. According to that article, if multiple SSL client profiles are attached to the same virtual server, the cipher setting and multiple client authentication settings must match across those ssl client profiles. In our case only cipher setting matters, so fixing that part corrected the problem for us.
- san2hosh_306591
But Only one client requested to disable a cipher. So finally I disabled that in all profiles which is worked.
