Understanding the Authenticate Name Option on Server SSL profile on BIG-IP

Quick Intro Have you ever wondered what this little option on Server SSL profile really does in practice? This is what this article is all about. If you're only interested about what I learn...
Published Apr 20, 2020
Version 1.0
BIG-IP
security
serverssl
ssl
tls
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 26, 2020

Hi Rodrigo,

Is that possible to use *.company.com in Authenticate Name? If not probably only option to verify certificates of servers set with different FQDNs is to use iRule - guess Local Traffic Policy will be of no use here? - and select correct Server SSL Profile (with Authenticate Name matching Pool Member selected via LB) based on for example Data Group - any better option here?

 

Doing tmsh list ltm virtual [VS name] on 15.1.0.2 (not present in 14.1.2.3) I noticed parameter serverssl-use-sni  with description:

 

When multiple server-ssl profiles are attached to a virtual, setting this allows one to be chosen based on the SNI extention from the ClientHello if a client-ssl profile is also attached to the virtual.

 

Probably a bit unrelated but would be great if you could create article about this functionality.

 

Piotr