cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Use different client-ssl depending on host name

Willy
Nimbostratus
Nimbostratus

I am trying to save VIP addresses on our https servers. We have a webserver pool serving multiple hostnames. Unitl now for each https request we are setting up a new VIP corresponding with the client-ssl related to the host name. What I am looking for is something like

if hostname matches website1.com use client-ssl website1

if hostname matches website2.com use client-ssl website2

etc ...

Keep in mind that we are running version 12.1.3.

Is there somewhere a possibility ?

4 REPLIES 4

Hello  You can use multiple client SSL profiles on the VIP. So Depending on the hostname, the proper client certificate will get used. In order to use it, you need to enable SNI settings in one of the client SSL profile which will act as Default/Fallback SSL profile. This fallback SSL profile will get used when the server name doesn't match or the client is not supporting SNI. In other words, if server name is not macthing and/or client is not supporting SNI, then fallback SSL profile will served the SSL/TLS handshake.

 

You can define one of the client SSL profile as a fallback SSL by checking below option under SSL profile advance settings.

 

0691T000009iFHqQAM.png

 

 

 

 

 

Note : Unless you define one of the profile acting as default/fallback SSL profile for the VIP, you can't map multiple SSL profiles to single VIP.

 

https://support.f5.com/csp/article/K13452

 

Hope it helps!

Mayur Sutare

 

Willy
Nimbostratus
Nimbostratus

Hello Mayur,

I created a test setup with different certificates and used the server name field int the clientssl, and created one last clientssl as default. This did the trick. I even went further by using a policy to go to different pools depending the host name. That also went well. Many thank for your answer and help.

 

 Great, happy to know that.

LiefZimmerman
Community Manager
Community Manager

 , I got your email about the broken links related to this elsewhere on our site. I will be getting those updated, where possible. You did the right thing by asking your question here. was able to answer your question before I even woke up. 😉 CommunityFTW. Thanks for sharing.