http://devcentral.f5.com/wiki/default.aspx/iRules/TLS_ServerNameIndication.html I posted the iRule above for discussion purposes. It decodes the TLS SNI extension field in an SSL/TLS negotiation and then attempts to dynamically switch the ClientSSL profile based on what it sees in this field. Essentially, this will allow you to use multiple certificates with a single VIP, dynamically switching them when the browser client changes the host it's requesting. I'm intending to add support for changing pools as well -- that means that it's possible to support multiple certificates and multiple pools via a single VIP behind TLS encryption. But I thought I'd get this earlier proof of concept out there so people can see it and discuss it. Joel

I have not read the iRule in detail yet. But as a quick look, iRule looks really cool. Nat

Thanks! I just posted a revision once I realized that there's a really easy way to do pool selection with a second data group list. One datagroup sets the clientSSL profile per hostname, and the other sets the pool per hostname. If it's not in either datagroup, it'll fall through to the default pool or clientSSL profile. So -- now this will allow you to host multiple sites from multiple pools using multiple certificates, all through a single VIP. ...if browser support for SNI is there, of course. :> Joel

That's really cool that you figured this out Joel. Unfortunately, as you mention, no WinXP support for TLS SNI limits the value for most people. Aaron

This is pretty cool Joel. Way more useful than the futurama rule from a few weeks ago. ;)

Aaron: That's true; it's pretty useful for corporate customers who have good control over their browser installed base, though. And for people who don't care if they ever support an IE user. :> Steve: Useful is a term best defined by the person with the correct need!

TLS Server Name Indication iRule

24 Replies

Nat_Thirasuttakorn
Employee
Mar 28, 2011
I have not read the iRule in detail yet. But as a quick look, iRule looks really cool.

Nat
Joel_Moses
Nimbostratus
Mar 28, 2011
Thanks!

I just posted a revision once I realized that there's a really easy way to do pool selection with a second data group list. One datagroup sets the clientSSL profile per hostname, and the other sets the pool per hostname. If it's not in either datagroup, it'll fall through to the default pool or clientSSL profile.

So -- now this will allow you to host multiple sites from multiple pools using multiple certificates, all through a single VIP.

...if browser support for SNI is there, of course. :>

Joel
hooleylist
Cirrostratus
Mar 28, 2011
That's really cool that you figured this out Joel. Unfortunately, as you mention, no WinXP support for TLS SNI limits the value for most people.

Aaron
Steve_Brown_882
Historic F5 Account
Mar 28, 2011
This is pretty cool Joel. Way more useful than the futurama rule from a few weeks ago. ;)
Joel_Moses
Nimbostratus
Mar 28, 2011
Aaron: That's true; it's pretty useful for corporate customers who have good control over their browser installed base, though. And for people who don't care if they ever support an IE user. :>

Steve: Useful is a term best defined by the person with the correct need!
Steve_Brown_882
Historic F5 Account
Mar 28, 2011
That is a very good point.
L4L7_53191
Nimbostratus
Mar 29, 2011
Another clinic by Joel - nicely done.

-Matt
The_Bhattman
Nimbostratus
Mar 29, 2011
Joel: Good work!!! This is very cool stuff....now if only I can get rid of Windows XP. ;-)

Bhattman
JRahm
Admin
Mar 29, 2011
Good luck on that Bhattman... :)

Great example of TLS SNI, Joel. CR94903 is in the system to add support for this to the SSL profile. If you'd like to see this added as a native feature you can open a support case and have it linked.
James_Quinby_46
Historic F5 Account
Mar 29, 2011
Very nice stuff, this. I've idly wondered on and off whether or not berkley pcap-style expressions for getting into the TCP headers and such would be useful.