Forum Discussion

Sam_Parkes_1110's avatar
Sam_Parkes_1110
Icon for Nimbostratus rankNimbostratus
Aug 11, 2008

SSL::profile switching - per host name requested

I'm trying to get different URL host names to negotiate with different SSL profiles as they go through a single VIP on the F5. We have several URLs we want to point to the same external IP (by DNS), where our Firewalls NAT to a single VIP address on the F5, that part is straight forward. But we would then open SSL pages which would require the client's browser to negotiate with a seperate SSL profile and therefore different certificate for each URL host name. I'm not certain this is possible - but wondered if an iRule could detect the HTTP::host and direct the request to an SSL::profile without the browser complaining?

 

The examples on the site are:

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] eq $specific_ip ]} {

 

SSL::profile host1_profile

 

}

 

 

but this tests on client IP address, we would need to test on the HTTP:host name.

 

Any help would be appreciated.

 

Thanks,

 

Sam Parkes.

 

GTA
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    Aug 11, 2008
    Unfortunately this is currently not possible. SSL negotiates the encryption certificate before the HTTP request is sent.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 13, 2008
    I think this post has the evolution of this question (Click here).

     

     

    The practical answer for current versions is you can only support one certificate per virtual server. A wildcard cert for *.example.com would allow you to host a.example.com and b.example.com on the same VIP using one cert. Using Subject Alternate Names (SANs) should allow you to host abc.com and xyz.com (or app.mysite-ip.com.aa and app.mysite-ip.com.bb) on the same VIP with one cert. At some point F5 and browsers will probably support the server_name extension for TLS to allow support for multiple certs on a single IP address and port. To request F5 support this extension, you can open a case with F5 and ask them to attach it to CR94903.

     

     

    Aaron