Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

IRULE question - pool command and SSL renegotiation

Go to solution
krisdames
Cirrus
Cirrus

‎16-Sep-2022 11:55

I have a standard SSL virtual with a client and a serverssl profile. I need to create an iRule that does some content switching based on HTTP::uri. My virtual has a clientssl profile with an SSL certificate for www.foo.com that is sending SNI hostname of www.foo.com to the pool members of poolA (the pool members require it). The iRule needs to send the request to poolB if a specific path is matched. The pool members of poolB also require SNI but for hostname www.bar.com. My question is since I have an SSL connection established with www.foo.com, when I issue the pool command to send the request to poolB will there automatically be a new SSL handshake with the poolB pool member? If not, do I need to force one (with SSL::renegotiate and perhaps SSL::profile to choose a serverssl profile with appropriate SNI hostname)?

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus
In response to Kevin_Stewart

‎19-Sep-2022 08:27

Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.

The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.

Hope that helps!

Regards Stefan 🙂

View solution in original post

2 REPLIES 2

Go to solution
Kevin_Stewart
F5 Employee
F5 Employee

‎16-Sep-2022 12:47

I'd recommend having the iRule select a new server SSL profile based on these client side properties. You're sending traffic to a new server, so BIG-IP has to initiate a new TCP connection and SSL session to that node.

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus
In response to Kevin_Stewart

‎19-Sep-2022 08:27

Kevin is already right, but to be more detailed the F5 is acting as a full proxy, means independent SSL/TCP-connections between the client<->F5 and the F5<->server/poolmember.

The SNI values from the client are independent for the connection between the F5<->server. Here the F5 acts as the client and you need to specify your required SNI values in the serverSSL profile. Means you need to create several different (at least two) serverSSL profiles matching your requirements and switch them with the iRule. The "SSL::profile" command should be sufficient here.

Hope that helps!

Regards Stefan 🙂

Copyright © 2023 Khoros, LLC