Use iRule to "attach" certficate

 

I like to understand this (and I hope I do not confuse this discussion - if I do, just let me know and I will get off this discussion) -- why is it necessary to INJECT the Cert. When I create a VS and import the Cert/Key and then create a SSL profile and associates that profile with the VS, the Cert/Key will be used, no?

 

 

My situation is like this: I need to use only 1 vs/vip for all Incoming requests and then use an iRule to send the traffic to different servers AND pick the correct cert/SSL profile (already defined in LTM - see above). Is this possible?

 

 

so client -> ssl [F5] --> ssl direct to a.b.com, then use a.b.com cert/ssl profile

 

client -> ssl [F5] --> ssl direct to x.y.com AND use x.y.com cert/ssl profile

 

 

 

Will clients make requests to both a.b.com and x.y.com? If so, do you have a single cert which is valid for both (using subject alternate names)? If you do, then this is possible.

 

 

If you don't have a single cert and clients are making requests to the HTTPS VS with more than one hostname, you'd get cert mismatch errors. The simplest solution from an LTM perspective for this latter scenario is to use DNS to point the two different hostnames to two separate IP addresses. You can then create one VS per cert and hostname.

 

 

Once TLS server name indication is more widely adopted, you could use that to present the correct certificate to the client. We have a proof of concept iRule from DC MVP, Joel Moses, which supports TLS SNI: http://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx However, this requires clients to support TLS SNI also. As far as I'm aware, no browser on WindowsXP supports this so it's a no go for most LTM admins.

 

 

Aaron

I do not have a single cert. And I don't know what is a "subject alternate names".

 

 

What the clients want is to have only one VIP because they say they are running out of IPs.

 

The client wants to use only 1 VIP to distribute all incoming traffic to many servers. So yes, the same browser may access a.b.com, x.y.com or d.e.com ... etc.

 

 

The easiest way (and as you already aptly pointed out), is to have a VIP for each of the host. Then for each host I import the corresponding cert/key and create the corresponding SSL Profile and then associated that profile with the VS created JUST for that host with a distinct IP (A record from DNS) and I am done.

 

 

But they don't want that. They want only one IP (actually, only one URL) and that one host will point to the one IP/VIP, then they expect me to use iRule to route the traffic - which I can do - say, different URI - but ALSO to use the appropiate Cert/key/ssl profile. Of course, their design is faulted - if the browser is going to a.b.com (the single URL) then I can only return a.b.com, not x.y.com. But that is ok, I can tell them what really needs to happen is the client clicks on a.b.com, I took it to a.b.com and return a page that has, for example, x.y.com and when the client clicks that, it is still going to the IP for a.b.com but now they need me to send to x.y.com PLUS the cert/ssl profile for x.y.com. That, the last sentence, is the part I do not find anyway to do. According to your last response, this is not possible.

I have passed through SSL to the web servers in this scenario. Let it choose choose the certificate and website. Again this would need to be tested in your environment. For persistence use SSL persistence with source address fallback for when the SSL key changes. This way when they want to add a new website no F5 changes are required. Just create a new CNAME pointing to the first A record, setup your new website and and off you go.

 

 

Kevin (Jarvil)

 

Can you explain again your setup? "Let it choose the cert..." - who choose? The iRule? The thing is, they don't want to assign more than one IP so there is only one VS for all the sites.

 

 

Kevin, for that to work, I think you'd need a single cert valid for all possible hostnames the client would request through the single virtual server. If LearniRule says he needs to support multiple fully qualified domain names on different domains, I can't see this working with one virtual server. Neither LTM or the servers would be able to complete an SSL handshake for all of the different domains using one certificate.

 

 

I think you'll need to use a separate virtual server IP per SSL certificate.

 

 

Aaron

Thanks for all of your help! Basically - this cannot be done. I saw a reply from Kevin but somehow I don't see it here so I will copy this below as it is a very good explanation -

 

LearniRule,

 

 

The problem is best described as the cart before the horse. You need to see the Host header of the incoming HTTP request to get the website name and match it to a certificate's common name (CN) to select the right certificate. However to actually see this Host header, you have to decrypt the incoming SSL traffic. So by that time you have already negotiated SSL with the client and its too late. The only way to have multiple hosts on the one VIP is to assign a certificate with additional subject alternate names, expensive as they charge for each additional SAN, or pass through the SSL to the webserver and it will choose the right SSL certificate based on the website you are trying to access.

 

 

Kevin (Jarvil)

I think you're looking for something like this: Server Name Indication But be aware that this only works on some OS/browser combinations (notably, it doesn't work on IE running on Windows XP).