Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

IRULE question - pool command and SSL renegotiation

krisdames
Cirrus
Cirrus

I have a standard SSL virtual with a client and a serverssl profile. I need to create an iRule that does some content switching based on HTTP::uri. My virtual has a clientssl profile with an SSL certificate for www.foo.com that is sending SNI hostname of www.foo.com to the pool members of poolA (the pool members require it). The iRule needs to send the request to poolB if a specific path is matched. The pool members of poolB also require SNI but for hostname www.bar.com. My question is since I have an SSL connection established with www.foo.com, when I issue the pool command to send the request to poolB will there automatically be a new SSL handshake with the poolB pool member? If not, do I need to force one (with SSL::renegotiate and perhaps SSL::profile to choose a serverssl profile with appropriate SNI hostname)?

 

1 ACCEPTED SOLUTION

Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.

The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.

Hope that helps!

Regards Stefan 🙂

View solution in original post

2 REPLIES 2

Kevin_Stewart
F5 Employee
F5 Employee

I'd recommend having the iRule select a new server SSL profile based on these client side properties. You're sending traffic to a new server, so BIG-IP has to initiate a new TCP connection and SSL session to that node.

Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.

The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.

Hope that helps!

Regards Stefan 🙂