Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SNI for serverssl profile

Hi,

I have situation like that:

  • VS with two clientssl profiles
  • https1.test.com - SNI set to https1.test.com, Default SSL Profile for SNI checked
  • https2.test.com- SNI set to https2.test.com
  • and two serverssl profiles
  • server1.test.com - SNI set to server1.test.com, Default SSL Profile for SNI checked
  • server2.test.com - SNI set to server2.test.com
  • Server with two virtual hosts
  • server1.test.com - with certificate for server1.test.com
  • server2.test.com - with certificate for server2.test.com

Is there any way to configure VS so when request comes with SNI https1.test.com serverssl profile with SNI server1.test.com and when request comes with SNI https2.test.com serverssl profile with SNI server2.test.com is used?

Can it be somehow done in iRule? Maybe it's possible to use one serverssl profile and then change SNI send to server depending on SNI received from client?

Any easier way to resolve this?

A bit separate question - how BIG-IP verifies that presented server certificate is signed by CAs trusted by BIG-IP? By setting in serverssl Server Authentication:

  • Server Certificate: require
  • Authenticate Name: server FQDN (or rather content of CN filed from certificate)
  • Trusted Certificate Authorities: chain file with Root CA and all Intermediates

Seems to be working but I am not sure if this is correct way?

Not sure why when chain file contains only Root CA cert and server cert is signed by Intermediate two levels above (Root CA -> Intermediate 1 -> Intermediate 2 -> server cert) connection is still working.

Piotr

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

you can search in codeshare...

Kai wilke wrote an awesome irule to solve this issue.

https://devcentral.f5.com/codeshare/serverside-sni-injection-irule-968

1
Comments on this Answer
Comment made 15-May-2017 by Piotr Lewandowski 1162

Hi,

Thanks a lot. I forgot about this iRule. Works like a charm :-)

There is however one issue I am not sure how to solve - server certificate verification.

If I will use one serverssl profile with Server Certificate: required, then I can only set one Authenticate Name.

So certificate verification will fail, as based on SNI server will return different certificates with different FQDNs in CN.

Any solution here? Wildcard server certificate?

Seems from info in help it's not possible to enter wildcard server name in Authenticate Name

Piotr

0
Comment made 15-May-2017 by Piotr Lewandowski 1162

Wildcard certificate at server side is working. In this case Authenticate Name can have any FQDN that is matching wildcard part:

Certificate FQDN: *.test.com

Authenticate Name: something.test.com

Will work for both server1.test.com and server2.test.com but not for www.server1.test.com or server1.test1.com.

Any better way to resolve this?

Piotr

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

In relation to authentication of backed servers by BIG-IP (via serverssl Server Authentication config). I wonder if below setup is OK and can be used instead of using wildcard certificate on backend server.

Scenario:

  • VS accepting request for https.test.com and https1.test.com
  • Two serverssl profiles:
    • lamp4-110.test.com_srv - attached to VS with settings:
      • Server Name: lamp4-110.test.com
      • Server Certificate: required
      • Authenticate Name: lamp4-110.test.com
      • Trusted Certificate Authorities: lamp_chain
    • lamp4-110-2.test.com_srv - not attached to VS with settings as previous except:
      • Server Name: lamp4-110-2.test.com
      • Authenticate Name: lamp4-110-2.test.com
  • iRule as below

when HTTP_REQUEST {

if { [getfield [getfield [HTTP::host] ":" 1] "." 1] eq "https" } {

    set sni_value "lamp4-110.test.com"

} else {

    set sni_value "lamp4-110-2.test.com"

}

    HTTP::header replace Host $sni_value

}
when SERVER_CONNECTED {

SSL::profile ${sni_value}_srv
}

In SSL::profile description there is note:

Warning: If you choose an SSL profile with a different key/cert/chain/ca-file from the SSL profile configured under the VS, the cert/key/ca-file must be reloaded, which is very time consuming (about half a second), degrading the SSL TPS performance drastically.

I assume that it is not related to above setup as it's serverssl profile and Trusted Certificate Authorities is using exactly the same chain file.

Any better ways to achieve backend server authentication using FQDN based certs (instead of wildcard)?

Piotr

0