Forum Discussion
11 Replies
- What_Lies_Bene1CirrostratusMartin, can I assume that you're terminating client SSL and re-establishing to the servers? What version are you running?
- Kevin_StewartEmployeeThat's an interesting question. So, in v11 at least, BIG-IP does support server side SNI. If you plug a server name into the server SSL profile's Server Name block, you'll actually see the SNI extension information in the CLIENTHELLO message coming from BIG-IP. That of course implies that you have a different server SSL profile for every back end SNI host and switch profiles in an iRule (see https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx), but that's probably not too tedious.
HTTP::header replace Host "sslapp1.alpha.com"
- Martin_Smith_58NimbostratusWe're on LTM 11.2.x.
- Kevin_StewartEmployeeThe above applies to v11+, so 11.2.x supports server side SNI.
- Martin_Smith_58Nimbostratus
Hi Kevin,
It sounds like you're saying there's no way to set the SNI information on the fly, as the server SSL profile's Server Name block is also not settable on the fly. I'm not sure I want to create hundreds of server SSL profiles for every possible virtual host I want to use. I think, using this stated configuration, I'm already going to be stuck creating tons of client SSL profiles for the SSL offloading from the browser to the F5. So this solution will effectively double the number of profiles.
Hmmm. I will bring this back to my team and discuss. If anyone has any other ideas about how to pull something like this off, please keep posting! :)
Thanks all,
Martin
- Kevin_StewartEmployeeTry the Host header replacement method I described without setting the Server Name field. Still looking into why this works though.
- Kevin_StewartEmployeeOkay, I figured it out. v11.1 introduces the SERVERSSL_CLIENTHELLO_SEND event and the SSL::extensions command. With these I can arbitrarily add extensions to the SSL negotiation. Here's a rough idea of what it looks like:
when HTTP_REQUEST { HTTP::header replace Host "sslapp2.alpha.com" } when SERVERSSL_CLIENTHELLO_SEND { set hostname "sslapp2.alpha.com" set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname] SSL::extensions insert $bin }
- nitassEmployeesorry i might be lost. i understand serverssl profile by default does not verify server's certificate. so, why do you need SNI on server-side connection? and what certificate/key are you going to put in clientssl profile??
- Kevin_StewartEmployeeSNI doesn't really have anything to do with certificate verification. It allows you to load multiple SSL sites onto a single IP address and port and is a modern alternative to SAN or wildcard certificates.
- Martin_Smith_58NimbostratusPosted By Kevin Stewart on 10/19/2012 12:21 PM
Do you know of any other way mass-virtual hosting is being done with an F5 and SSL? It's prohibitive for us to ask all of our hosting customers to change code, and we'd love to stop putting 100+ IPs on each web server.