Forum Discussion

El_Jefe's avatar
El_Jefe
Icon for Nimbostratus rankNimbostratus
Jul 11, 2011

Append FQDN to https request

Hello,

 

 

I am sure this has been asked many times, but I could not find it in search. We use our F5s here internally, and the users can get to the websites using an internal hostname - like https://server1 When it appears like this in the browser, the SSL cert is actually for server1.companyxyz.com, and so, the browser complains about the SSL cert. Is there any way to automatically append the companyxyz.com to the request?

 

 

Thanks,

 

 

Jeff

 

application delivery
dev
devops
iRules

9 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 11, 2011
    Hi Jeff,

    If the first request is for https://server1 then the error occurs before LTM decrypts the SSL and could modify the HTTP headers. If the clients make an HTTP request first to http://server1, then you could redirect their HTTP request to HTTPS with the fully qualified domain name: 

    
when HTTP_REQUEST {
   HTTP::redirect https://server1.companyxyz.com[HTTP::uri]
}

    Aaron
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jul 11, 2011
    As Aaron mentioned, there's a bit of a chicken vs. egg issue that many users end up facing when dealing with manipulating SSL traffic. The traffic must be decrypted on the LTM before any manipulation can be performed. The problem is, as in this case, if the user is requesting a name not represented on the certificate, they're going to get the initial mismatch error on the first handshake with the LTM, even if you're decrypting SSL on the LTM. At that point, now that the traffic is decrypted, you can certainly manipulate the traffic at will, but it's too late to stop them from seeing the initial SSL mismatch error.

     

     

    Colin
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2011
    The short answer is No.

     

     

    The client browser would be expecting a response matching the request "server1". The BIG-IP would respond with the SSL Certificate that is tied to that Virtual Server "server1.companyxyz.com".

     

     

    The BIG-IP cannot analyze, modify, or change the SSL Profile being used on the Virtual Server with an iRule until after the traffic decryption (which is after the handshake that causes the SSL Certificate Mismatch Error).
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2011
    LOL.....Nah....what you and Hoolio said.

     

     

    We all jumped on this one.

     

     

    I was typing my reply while you guys were posting yours.

     

     

    Oops! :-)
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jul 11, 2011
    I'll take more coverage over less any day. I love this dang community. :)

     

     

    Colin
  • Ryan_Paras_7933's avatar
    Ryan_Paras_7933
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2011
    If you are involved with the issuing of the certificates, check out the use of Subject Alternative Names for your SSL certificate. Here is a quick explanation -> http://www.digicert.com/subject-alternative-name.htm
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2011
    Yea....that is a good point Ryan.

     

     

    Some multi-SAN's cost the same as a Standard (the ones I use are 2 SAN Certificates called "Advantage Certificates". I have also heard them referred to as "Multi-Domain" Certificates).

     

     

    The larger ones are Unified Communication Certificates (UCC) and normally used in newer (2007 and newer) Exchange Environments, and can have 10 or more SAN's.