SSL Profile (Client) per host

Question

Hello,&nbsp;
I have multiple hosts pointing at the same public ip (virtual server). Is it possible to use a different SSL Profile (Client) per host using irules?&nbsp;
Eg. i have virtual server called demo with a public ip assigned to it. I have abc.demo.com, xyz.demo.com pointed to this virtual server. If i assign a SSL profile to the virtual server, it will get assigned to both the domains. I want to use a abc profile for abc.demo.com and xyz profile for xyz.demo.com. Please advise.&nbsp;
Thanks in advance.&nbsp;

lyonsg_85618 · Answer

I don't think this is possible. The SSL negotiation is done before the HTTP processing so by the time the VIP can identify the domain name it is already too late as the client SSL profile is already in use.

mike_maher · Answer

What version are you running?

petewhite · Answer

https://devcentral.f5.com/wiki/iRules.SSL__renegotiate.ashx&nbsp;

kevin_stewart · Answer

I would concur with LyonsG. The SSL handshake happens before an HTTP host value can be evaluated. Your best options are a wildcard or SAN cert on a single client SSL profile, or Server Name Indicator (SNI) if you're running at least version 11 and all clients support TLS (> WinXP and IE6).

petewhite · Answer

You can check the HTTP host header and then call SSL Renegotiation to renegotiate the SSL and use the required SSL profile. Worth checking out anyway&nbsp;

Forum Discussion

SSL Profile (Client) per host

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Client vs Server SSL profile

DevCentral Connects hosts Capture the Flag!

Server Profile SNI

STREAM profile (HTTP > HTTPS) with host exception

TLS Fingerprinting to profile SSL/TLS clients without decryption