Forum Discussion

Willy's avatar
Willy
Icon for Nimbostratus rankNimbostratus
Sep 02, 2020

Use different client-ssl depending on host name

I am trying to save VIP addresses on our https servers. We have a webserver pool serving multiple hostnames. Unitl now for each https request we are setting up a new VIP corresponding with the client-ssl related to the host name. What I am looking for is something like

if hostname matches website1.com use client-ssl website1

if hostname matches website2.com use client-ssl website2

etc ...

Keep in mind that we are running version 12.1.3.

Is there somewhere a possibility ?

4 Replies

  • Hello  You can use multiple client SSL profiles on the VIP. So Depending on the hostname, the proper client certificate will get used. In order to use it, you need to enable SNI settings in one of the client SSL profile which will act as Default/Fallback SSL profile. This fallback SSL profile will get used when the server name doesn't match or the client is not supporting SNI. In other words, if server name is not macthing and/or client is not supporting SNI, then fallback SSL profile will served the SSL/TLS handshake.

     

    You can define one of the client SSL profile as a fallback SSL by checking below option under SSL profile advance settings.

     

    0691T000009iFHqQAM.png

     

     

     

     

     

    Note : Unless you define one of the profile acting as default/fallback SSL profile for the VIP, you can't map multiple SSL profiles to single VIP.

     

    https://support.f5.com/csp/article/K13452

     

    Hope it helps!

    Mayur Sutare

     

  • Willy's avatar
    Willy
    Icon for Nimbostratus rankNimbostratus

    Hello Mayur,

    I created a test setup with different certificates and used the server name field int the clientssl, and created one last clientssl as default. This did the trick. I even went further by using a policy to go to different pools depending the host name. That also went well. Many thank for your answer and help.

     

  •  , I got your email about the broken links related to this elsewhere on our site. I will be getting those updated, where possible. You did the right thing by asking your question here. was able to answer your question before I even woke up. 😉 CommunityFTW. Thanks for sharing.