Forum Discussion

F5_Freek_243545's avatar
F5_Freek_243545
Icon for Nimbostratus rankNimbostratus
Jan 18, 2016
Solved

Can we have multiple Client SSL profile on single VIP?

Hi There,

Can we have multiple client SSL profile on single VIP? I am looking for some help on this.

We need to have some rules like below.

www.mywebsite.rain.com  --> SSL Profile SSL_rain
www.mywebsite.snow.com  --> SSL Profile SSL_snow
www.mywebsite.sunny.com  --> SSL Profile SSL_sunny

This requirement is based on application side as we use same VIP for all three websites and the server is determining which website to present to the user based in urls.

Can someone shed some lights on this please??

iRules
LTM
security
ssl

7 Replies

Sort By
    • F5_Freek_243545's avatar
      F5_Freek_243545
      Icon for Nimbostratus rankNimbostratus
      Jan 18, 2016
      Hi Pascal, Using TLS SNI, we can have only one fall back SSL profile right? I have three different URLS. Can we configure three different profiles?
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Jan 18, 2016

    You can have several Client SSL profile assigned the virtual server. One of the profile must have "Default SSL Profile for SNI" enable, and the "server name" must be different for each profile.

     

  • F5_Freek_243545's avatar
    F5_Freek_243545
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2016

    There is a challenge that the client must support TLS SNI right? We have internet based clients and cant predict the nature of the clients.

     

    Can we create an irule for the same ?

     

    • Chris_Grant's avatar
      Chris_Grant
      Icon for Employee rankEmployee
      Jan 18, 2016
      I would point out that SNI has been supported by IE since 2006 (v7), Firefox since 2006 (v2), and Chrome since 2010 (v6). For comparison, Chrome 6.0 does not support TLS 1.1 or TLS 1.2, nor does Firefox 2.0 or Internet Explorer 7. I can understand wanting to reach these customers, but these are at this point extremely out of date browsers.
    • John_Alam_45640's avatar
      John_Alam_45640
      Historic F5 Account
      Jan 19, 2016
      i agree with cg4unix. In any case, the iRule itself cannot solve this issue because it does not see the hostname unless SNI is enabled and supported. Alternatives are wildcard or SAN certs. With wildcard certs you will have only one profile, the iRule can chose a pool based on the host name.