Forum Discussion

kng_51762's avatar
kng_51762
Icon for Nimbostratus rankNimbostratus
Oct 19, 2010

Is it possible to apply client ssl profile on the fly

I'm trying to find out if it is possible to use an irule to apply a client ssl profile on the fly based on the hostname. We have a requirement to enable ssl on a group of websites that are hosted on the same web farm and I would like to find a more effecient way of applying the ssl profile. Instead of creating a port 443 vip for each website and applying the ssl profile, it seems that an irule would be a better solution.

 

 

I've been digging through the forums and found related posts but no real answer. One thread says that it may be possible but then another thread says it is not possible due to how the https protocol works. Can anyone shed some light on this subject? If you can provide an example that would be great or point me in the right direction.

 

 

Thanks.

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 19, 2010
    Hi Ky,

     

     

    It's possible to set a client SSL profile from an iRule using SSL::profile $clientssl_profile_name to switch which cert LTM presents the client. However, it's not practical with a typical user base (XP clients) to check which hostname the client is requesting and then specify the client SSL profile.

     

     

    You can read about this here:

     

     

    http://en.wikipedia.org/wiki/Server_Name_Indication

     

     

    Note that XP doesn't support SNI for any IE version.

     

     

    If you can get a single cert which is valid for all of the hostnames, then you can avoid this issue of trying to select the correct server cert.

     

     

    Aaron
  • kng_51762's avatar
    kng_51762
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2010
    Thanks for the quick response hoolio.

     

     

    We are able to use an UCC certificate but unfortunately some platforms have issues with this type of cert for some reason. Apples products for example dont like the cert and it gets revoked.

     

     

    I guess there is no way around creating virtual servers for each website. Not a big deal since its only a one time setup.

     

     

    Thanks.