SNI - no SSL profile = drop/reset

Question

Hi!&nbsp;
I've got SNI working properly on my LTM virts. It's working fine, but some of the sites we host through that virt don't have SSL. Those sites don't have an SSL profile or certificate to present, so true to SNI, it presents the default SSL profile, which is a wildcard certificate for a different domain. This throws some errors in the visitor's browser, which is expected given the actions that are occurring.&nbsp;
Is there a way that I can have the Big-IP do something different with the connection when there's no matching SSL profile instead of presenting the wrong certificate?&nbsp;
Thanks!&nbsp;
Jesse

govind_32899 · Answer

I faced a similar problem . We had a SSL certificate for but when user hitting on XYZ.com they were getting cert error so i created two SSL profile with the same certificate and in one profile i used SNI as and in other profile i used SNI as XYZ.com . Then attached both profile to the VIP

jesse_reinhart_ · Answer

Thanks for the response! What I'm looking for is actually to see if the VIP can drop traffic if there's not an SSL profile/certificate for that domain, rather than providing the default SSL profile since that causes a certificate mismatch warning.

stanislas_piro2 · Answer

Hi,&nbsp;
You can both look at this thread! &nbsp;
Kai Wilke provided a solution for your question!&nbsp;

Forum Discussion

SNI - no SSL profile = drop/reset

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Server Profile SNI

SNI Routing with DNS Lookup

Extracting the SNI server name

HTTPS SNI Monitor

Update your DevCentral user profile