The point of this is that we have multiple domains and therefore need multiple SSL Client side profiles, as you can only have 1 SSL profile per VS we would need multiple VSs. This would mean having to use up multiple external IP address. The basic requirement is to be able to present a spesific SSL Client profile based on the users URL request. My though was to have a "Master iRule" which looks at the URL request and then directs the user to the corrct VS. Any thoughts?

is it okay to receive certificate warning page when accessing? just in case if you have not yet seen this information. sol6823: Configuring multiple HTTPS sites on the same SSL client profile by creating a wildcard certificate request http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6823.html sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html hope this helps.

Hey guys thanks for the quick reply. 1. We cant use different ports as it's customer (end user) facing so has to be as standard as possible. 2. TLS v1.2 SN I've never seen before so i'll have to do some learning. 3. Problem is that it's not multiple sub domains it's multiple domains. Regarding the "you can't read the URL until the SSL connection...." are you sure as i can create redirect rule based on URL in a HTTPS connection, if i can do this it's surly simple to say Redirect to >> this VS No/ matt

SNI, like wildcard and SAN certificates, allows you to have multiple SSL sites with the same IP (same VIP). SNI is somewhat different though because it's actually an extension to the TLS protocol that, when supported, allows the server to "switch" the server certificate it presents based on what the client is asking for. Essentially, in the client's SSL CLIENTHELLO message, the client would normally say "hello, I'd like to talk SSL, and these are the ciphers I support". With SNI, the client says, "hello, I'd like to talk SSL, and this is the hostname I'd like to talk to, and here are the ciphers I support". Most modern browsers now support SNI, though you should still consider what your client base may be. To enable SNI, create a separate client SSL profile for each hostname and enter that name into the Server Name block of the profile. Also select one of the profiles to be the default should the user access with an IP or not support SNI. Apply all of these client SSL profiles to the virtual server. SNI requires v11, but that's all it takes to configure. As for selecting SSL profile via URL, that depends on if you mean hostname or URI. If by hostname then the above methods should work. If by URI, then your master VIP is potentially a good idea. You'd need two VIPs: the master VIP that clients should know and redirects based on that original URI path, and the application VIP that has the SNI (or wildcard/SAN) client SSL profiles. You cannot do URI-based load balancing until after you've negotiated the SSL session.

Thanks Kevin. You could create an iRule to redirect, but you'll need to terminate the SSL session on the F5 first and you'll have to use a single SSL certificate (for a single FQDN/CN) to do that (unless SNI is a possibility). Presumably that won't be the certificate for the domain the user has entered in their browser. If your users can tolerate a certificate warning page (when they initially connect and before you redirect them) then that's fine but it seems unlikely.

3. Problem is that it's not multiple sub domains it's multiple domains. i understand SAN certificate supports multiple domain name. Secure Multiple Domain Names with a Single SSL Certificate http://www.symantec.com/theme.jsp?themeid=san-ssl-certificates SAN (Subject Alternative Name) vs UCC (Unified Communications Certificate) https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO13974&actp=search&viewlocale=en_US&searchid=1350903150640

iRule to Decide which VS to use.

20 Replies

Core_Matrix_174
Nimbostratus
Oct 22, 2012
I 100% understand what your saying but 2 things come to mind.

1. If this is true how come products such as websense can perform URL filtering on HTTPS traffic that they dont perform SSL interception for.

2. Also if you look at a packet capture of a SSL connection the 4th packet in the connection is a "Client Hello" which has the hostname in it. At this point the server has not responded.
nitass
Employee
Oct 22, 2012
1. If this is true how come products such as websense can perform URL filtering on HTTPS traffic that they dont perform SSL interception for. i think websense has to integrate with proxyto block by url.

2. Also if you look at a packet capture of a SSL connection the 4th packet in the connection is a "Client Hello" which has the hostname in it. At this point the server has not responded.is it server_name tls extension? if so, it is SNI which we are talking.

Transport Layer Security (TLS) Extensions

http://www.ietf.org/rfc/rfc3546.txt
Mohamed_Lrhazi
Altocumulus
Oct 22, 2012
1. If this is true how come products such as websense can perform URL filtering on HTTPS traffic that they dont perform SSL interception for.

You must be mistaken. That is not possible.

2. Also if you look at a packet capture of a SSL connection the 4th packet in the connection is a "Client Hello" which has the hostname in it. At this point the server has not responded.

http://en.wikipedia.org/wiki/Server_Name_Indication
Mohamed_Lrhazi
Altocumulus
Oct 22, 2012
Actually this looks like the solution you were asking for... I did not know about this SNI thingy... it's sounds really cool!

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086451/Multiple-Certs-One-VIP-TLS-Server-Name-Indication-via-iRules.aspx
hooleylist
Cirrostratus
Oct 22, 2012
1. Websense probably has a root cert/key that the browser trusts and can therefore generate a server cert/key dynamically for the requested hostname. Without TLS SNI, the requested hostname could be determined by Websense making a request (with TLS SNI if the client used it) or the IP address and checking the subject(s) in the server cert.

2. The client is using TLS SNI to tell the server in the unencrypted portion of the client hello which hostname it is requesting. If all of your clients support TLS SNI you could use this feature on LTM to support multiple server certs on the same virtual server.

Aaron
Kevin_Stewart
Employee
Oct 22, 2012
SNI will be in the client's CLIENTHELLO message. The fourth packet of the connection is first packet of the SSL negotiation after the TCP three-way handshake. Toward the bottom of your capture you'll see a section in the CLIENTHELLO message for extensions, and one called "Server Name".

Websense, I believe, is also capable of doing SSL man-in-the-middle, which is probably what you've encountered. BIG-IP can also do SSL man-in-the-middle, called ProxySSL, but that won't allow you to do redirects based on the URI.
Mohamed_Lrhazi
Altocumulus
Oct 22, 2012
1. Websense probably has a root cert/key that the browser trusts and can therefore generate a server cert/key dynamically

That sounds like defeating the third party authority idea behind SSL certs.... in a way, no?

But then again, googling a quick bit I saw this sentence :

To implement SSL decryption for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy.

In this doc: http://www.websense.com/content/support/library/web/hosted/admin_guide/ssl_enable.aspx

I dont know Wensense, but would be curious to know if they are doing anything more interesting that.
What_Lies_Bene1
Cirrostratus
Oct 22, 2012
In my humble opinion SSL is pretty much broken. The article gives you a good idea of that, install a 'dummy' CA on your company PCs and hey presto, no security and privacy for your users.

I specifically use self-signed certificates for my personal 'stuff' as I can rely on those and not have to trust a CA or a company administrator.

Here's a news story on two CAs that have provided SSL 'skeleton' keys to private companies and don't think they don't all do it for government organisations: http://www.theregister.co.uk/2012/02/14/trustwave_analysis/
Mohamed_Lrhazi
Altocumulus
Oct 22, 2012

I agree. I love this proposed alternative: http://en.wikipedia.org/wiki/Convergence_(SSL)

The author explains eveything, and he knows what he's talking about, here: http://www.youtube.com/watch?v=Z7Wl2FW2TcA
Core_Matrix_174
Nimbostratus
Oct 25, 2012
Thanks for your help everyone. We ended up using the SNI feature, in TLC. Which appears to work greate we can present diffrent SSL certs based on the Client request so spot on.

Also i dont understand how it works but Websense can perform url filtering on SSL traffic without Certs and proxy mode, strange but true.

Forum Discussion

iRule to Decide which VS to use.

20 Replies

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

Hey ChatGPT, can you write iRules?

POC: Validate JWT with iRule

Decrypting BIG-IP Packet Captures without iRules

irule

Avoiding Common iRules Security Pitfalls