Forum Discussion
Ah, we'll that makes a lot of sense. The wildcard cert in the other profile is a catch-all. I honestly don't believe that SNI will work with a wildcard server name (haven't tested that), nor do I believe that a more specific server name SNI profile would be selected. I think your only option here is separate VIPs.
Also, could you please elaborate on what you mean by "<- it MUST match both the requested server name and the server name (or a subject alt name) in the client SSL profile's assigned certificate." from you comment?
The server name string in the client SSL profile must match what the client is asking for. The client will embed this name in the CLIENTHELLO TLS handshake message. It's also important, though not as important, that the server name in the certificate applied to that profile also uses the same server name.
There are actually two other options that I can think of:
-
iRule to force SSL renegotiation and client cert prompt based on the HTTP host name. This one tends to get a little complex depending on the environment, but not too bad.
-
Access Policy Manager (APM) module. If you can configure the cURL client to be able to follow HTTP redirects, APM can do this (SSL renegotiation and cert prompt) natively, among other things.