Forum Discussion

tempsuli's avatar
tempsuli
Icon for Altostratus rankAltostratus
Feb 06, 2020
Solved

SNI Certificate check

Hi,

 

Does anyone know how does BIG-IP check the certificates in the ssl-profile list in VS config? From top to bottom?

 

I have a customer need where there is two different certificates with additional SAN names but they share one similar domain name eg. test.factory.org. They also have different CN's. I would like the system to use the certificate for test.factory.org domain, that has a valid CN for 0365 to work.

 

If the system checks them from top to bottom like in irules it should be fine? Right?

 

BR

 

Teemu

  • -----

    When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

    (*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

    If present, go through the following steps:

    (1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

    (2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

    (3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

    (4) If (3) does not match, then use client ssl profile where sni-default is set to true

    -----

     

    So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

     

    The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.

1 Reply

  • -----

    When server-name is enabled, multiple SSL profiles can be attached to virtual server and one of them has to be the sni-default which is the last resort when there is no SNI match. The correct matching order should be the following:

    (*) Check whether server_name extension is present on Client Hello message sent by client. If not, use client ssl profile where sni-default is set to true.

    If present, go through the following steps:

    (1) First try to find a match on configured server-name field among all client ssl profiles attached to the virtual server

    (2) If (1) does not match, then find a match on subjectAltName extension among certificates attached to each client ssl profile

    (3) If (2) does not match, then find a match commonName field among all certificates attached to each client ssl profile

    (4) If (3) does not match, then use client ssl profile where sni-default is set to true

    -----

     

    So to specify that you want test.factory.org to match a specific client-ssl profile, explicitly set the Server-Name field of the required Client-SSL profile to test.factory.org (ie matching in step 1).

     

    The order in which Client-SSL profiles are evaluated is not necessarily related to the order in the UI.