Purpose

You should consider using this procedure under the following condition:

• You want to configure a single virtual server to serve multiple HTTPS sites using the Transport Layer Security (TLS) Server Name Indication (SNI) feature.

Prerequisites

You must meet the following prerequisite to use this procedure:

• The certificate and key pairs for each of the HTTPS sites must be hosted on the virtual server.

Description

Prior to the introduction of TLS SNI as part of the TLS extensions, the client could not establish secure connections to multiple virtual servers hosted on a single IP address. This was the case, because the destination server name can only be decoded from the HTTP request header after the SSL connection has been established.

With the introduction of TLS SNI, the client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect, in the ClientHello packet, during the SSL handshake process. The server that supports TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello packet during the SSL handshake. As a result, the client can establish secure connections to multiple virtual servers that are hosted on a single IP address.

Beginning in BIG-IP 11.1.0, you can assign multiple SSL profiles to a virtual server for supporting the use of the TLS SNI feature. The TLS SNI feature is not available in previous BIG-IP versions.

To support the TLS SNI feature, a virtual server must be assigned a default SSL profile for fallback and one SSL profile per HTTPS site. The fallback SSL profile is used when the server name does not match or when the client does not support the TLS SNI extensions. The following list is an example of the sequence of events that may occur when two clients, clientA (which supports the TLS SNI extension) and clientB (which does not support the TLS SNI extension), attempt to establish secure connections with the HTTPS site my.site1.com that is hosted on the TLS SNI virtual server:

1. clientA establishes a tcp connection to the TLS SNI virtual server.
2. clientA indicates the server name my.site1.com in its ClientHello packet and forwards the ClientHello packet to the TLS SNI virtual server.
3. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.
4. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.
5. The TLS SNI virtual server returns mysite1profile's SSL certificate in its ServerHello packet to clientA.
6. clientA establishes a secure connection to the TLS SNI virtual server after it successfully negotiates the remaining SSL options during the SSL handshake.
7. clientB establishes a tcp connection to the TLS SNI virtual server.
8. clientB does not support TLS SNI extension, hence there is no server name indicated in its ClientHello packet to the TLS SNI virtual server.
9. The TLS SNI virtual server observes no SNI extension in the received ClientHello packet and selects the fallback SSL profile mydefaultprofile.
10. The TLS SNI virtual server returns mydefaultprofile's SSL certificate (with CN my.default.com) in its ServerHello packet to clientB.
11. clientB warns of a possible certificate mismatch when it receives the SSL certificate (with CN my.default.com) from the ServerHello packet.

Procedures

To configure multiple HTTPS sites using TLS SNI, you must perform the following procedures:

• Importing the SSL certificate and key pairs for each server name
• Configuring the fallback (default) clientSSL profile
• Configuring the clientSSL profiles for TLS SNI
• Configuring the virtual server for TLS SNI

Importing the SSL certificate and key pairs for each server name

Before you begin configuring the BIG-IP objects for TLS SNI, you must import, to the BIG-IP system, all of the SSL certificate and key pairs that belong to the multiple HTTPS sites. To do so, perform the following procedure:

Impact of procedure: None.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic > SSL Certificate List.
3. Click Import.
4. From the Import Type menu, select Key.
5. In the Key Name box, type a name for the certificate and key pair.
6. Click Browse to locate the key file.
7. Click Import to upload the key file to the BIG-IP system.
8. Click the name of the certificate and key pair from the SSL Certificate List.
9. Click Import.
10. To locate the certificate file, click Browse.
11. Click Import to upload the certificate file to the BIG-IP system.
12. Repeat Steps 3 through 11 to import each SSL certificate and key pair.

Configuring the fallback (default) clientSSL profile

The system uses the fallback clientSSL profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support. You can assign only one fallback SSL profile to each TLS SNI virtual server. To configure the fallback clientSSL profile, perform the following procedure:

Note: For clients that do not support TLS SNI, if the requested server name does not match the certificate and key pair for the fallback profile, clients receive certificate warnings.

Impact of procedure: None.

1. If you have not done so, log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Click Create.
4. In the Name box, type a name for the fallback clientSSL profile.
5. From the Configuration menu, select Advanced.
6. Select the Certificate check box, and select the desired certificate for fallback.
7. Select the Key check box, and select the desired key for fallback.
8. Check both the boxes for Default SSL Profile for SNI.
9. Optional: Configure the remaining clientSSL profile options, as desired.
10. Click Finished.

Configuring the clientSSL profiles for TLS SNI

To support TLS SNI, you must configure one clientSSL profile per HTTPS site. To do so, perform the following procedure:

Impact of procedure: None.

1. If you have not done so, log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Click Create.
4. In the Name box, type a name for a HTTPS site’s clientSSL profile.
5. From the Configuration menu, select Advanced.
6. Select the Certificate check box, and select the desired certificate for the HTTPS site.
7. Select the Key check box, and select the desired key for the HTTPS site.
8. Select the Server Name check box.
9. Type the name of the HTTPS site in the Server Name box.

   Note: The Server Name must match the Common Name of the certificate that you selected in Step 6.

10. Optional: Configure the remaining clientSSL profile options, as desired.
11. Click Finished.
12. Repeat Steps 3 through 11 for each HTTPS site.

Configuring the virtual server for TLS SNI

To configure a virtual server for TLS SNI, you must assign the related clientSSL profiles to the virtual server. To do so, perform the following procedure:

Impact of procedure: None.

1. If you have not done so, log in to the Configuration utility.
2. Navigate to Local Traffic > Virtual Servers > Virtual Server List.
3. Click Create .
4. In the Name box, type the name of the virtual server.
5. In the Address box, type the IP address of the virtual server.
6. In the Service Port box, type the listening port number of the virtual server.
7. From the HTTP Profile menu, select the appropriate HTTP profile.
8. Select the backup clientSSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
9. Select the HTTPS site’s clientSSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
10. Repeat the previous step for each HTTPS site.
11. Optional: Configure the remaining virtual server options, as desired.
12. Click Finished.

Supplemental Information

• SOL6823: Configuring multiple HTTPS sites on the same SSL client profile by creating a wildcard certificate request
• SOL11438: Creating a SAN/UCC certificate request