cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SNI Certificate check

tempsuli
Altostratus
Altostratus

Hi,

 

Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom?

 

I have a customer need where there is two different certificates with additional SAN names but they share one similar domain name eg. test.factory.org. They also have different CN's. I would like the system to use the certificate for test.factory.org domain, that has a valid CN for 0365 to work.

 

If the system checks them from top to bottom like in irules it should be fine? Right?

 

BR

 

Teemu

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee

-----

When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

If present, go through the following steps:

(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

(4) If (3) does not match, then use client ssl profile where sni-default is set to true

-----

 

So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

 

The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.

View solution in original post

1 REPLY 1

Simon_Blakely
F5 Employee
F5 Employee

-----

When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

(*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

If present, go through the following steps:

(1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

(2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

(3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

(4) If (3) does not match, then use client ssl profile where sni-default is set to true

-----

 

So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

 

The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.