Forum Discussion

CraigMo's avatar
CraigMo
Icon for Nimbostratus rankNimbostratus
Dec 03, 2015

rewriting client ssl server name

If a user enters, for example, is there a way to intercept or manipulate the ssl handshake such that the "" is changed to "https://abc.123.com"? Currently the valid cert on the F5 is for abc.123.com so when a user connects with they receive a cert error. I was wondering if there was a way to change the client's request from to https://abc.123.com.

 

application delivery
BIG-IP
iRules

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 03, 2015

    Hi Craig,

     

    the SSL-negotiation MUST be completed before the client sends its first HTTP request. So there is really no way, to inspect, change or even redirect the HTTP request before the certificate error message appears. This is a core security mechanism of HTTPS to avoid Man-in-the-Middle attacks and can't be turned of (and shouldn't!).

     

    Although SNI (Server Name Indication) may send the certificate subject to the server during a SSL-handshake. But even SNI can't be abused to redirect the client. It would be too dangerous...

     

    Cheers, Kai

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Dec 03, 2015

    Hi,

    TMOS supports both certificates with 
    subject alternative names
    (aka SAN certificates). So just request a new cert containing not only the common name in the subject but also the common name and additional names in the subject alternative names extension.

    In addition the new TMOS version suport 
    server name indication
    (aka SNI). Its an extension to TLS which is putting the expected CN into the clients SSL hello message. This information will be used to pick the right client-ssl profile.

    Just use multiple client-ssl profiles in context of your virtual server definition supporting the different hostnames you expect.

    Thanks, Stephan