Applies To:

Show Versions Show Versions

sol13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
How-ToHow-To

Original Publication Date: 03/23/2012
Updated Date: 09/18/2014

Purpose

You should consider using this procedure under the following condition:

  • You want to configure a single virtual server to serve multiple HTTPS sites using the Transport Layer Security (TLS) Server Name Indication (SNI) feature.

Prerequisites

You must meet the following prerequisite to use this procedure:

  • The certificate and key pairs for each of the HTTPS sites must be hosted on the virtual server.

Description

Prior to the introduction of TLS SNI as part of the TLS extensions, a single virtual server could not host multiple secure websites. This was the case because the destination server name can only be decoded from the HTTP request header after the SSL connection has been established.

With the introduction of TLS SNI, the client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect, in the ClientHello packet, during the SSL handshake process. The server that supports TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello packet during the SSL handshake. As a result, the client can establish secure connections to the desired secure website from the list of multiple secure websites that are hosted on a single virtual server.

Beginning in BIG-IP 11.1.0, you can assign multiple SSL profiles to a virtual server for supporting the use of the TLS SNI feature. The TLS SNI feature is not available in previous BIG-IP versions.

Beginning in BIG-IP 11.2.0, for security purposes, the BIG-IP System ensures that the following options are the same for each profile associated with the virtual server using the SNI feature:

  • Cipher List
  • Authentication (must use the same CA certificate)
  • Authenticate depth
  • Peer-cert-mode setting

You may see an error message similar to the following example if there are any non-matching options:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/<virtual server>

For security purposes, F5 recommends that you manually set these settings to be the same in BIG-IP 11.1.0 and earlier.

To support the TLS SNI feature, a virtual server must be assigned a default SSL profile for fallback and one SSL profile per HTTPS site. The fallback SSL profile is used when the server name does not match or when the client does not support the TLS SNI extensions. The following list is an example of the sequence of events that may occur when two clients, clientA (which supports the TLS SNI extension) and clientB (which does not support the TLS SNI extension), attempt to establish secure connections with the HTTPS site my.site1.com that is hosted on the TLS SNI virtual server:

  1. clientA establishes a TCP connection to the TLS SNI virtual server.
  2. clientA indicates the server name my.site1.com in its ClientHello packet and forwards the ClientHello packet to the TLS SNI virtual server.
  3. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.
  4. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.
  5. The TLS SNI virtual server returns mysite1profile's SSL certificate in its ServerHello packet to clientA.
  6. clientA establishes a secure connection to the TLS SNI virtual server after it successfully negotiates the remaining SSL options during the SSL handshake.
  7. clientB establishes a TCP connection to the TLS SNI virtual server.
  8. clientB does not support TLS SNI extension, hence there is no server name indicated in its ClientHello packet to the TLS SNI virtual server.
  9. The TLS SNI virtual server observes no SNI extension in the received ClientHello packet and selects the fallback SSL profile mydefaultprofile.
  10. The TLS SNI virtual server returns mydefaultprofile's SSL certificate (with CN my.default.com) in its ServerHello packet to clientB.
  11. clientB warns of a possible certificate mismatch when it receives the SSL certificate (with CN my.default.com) from the ServerHello packet.

Procedures

To configure multiple HTTPS sites using TLS SNI, you must perform the following procedures:

Importing the SSL certificate and key pairs for each server name

Before you begin configuring the BIG-IP objects for TLS SNI, you must import, to the BIG-IP system, all of the SSL certificate and key pairs that belong to the multiple HTTPS sites. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Click System.
  3. Click File Management.
  4. Click SSL Certificate List.
  5. Click Import.
  6. From the Import Type menu, select Key.
  7. In the Key Name box, type a name for the certificate and key pair.
  8. To locate the key file, click Browse.
  9. To upload the key file to the BIG-IP system, click Import.
  10. Click the name of the certificate and key pair from the SSL Certificate List.
  11. Click Import.
  12. To locate the certificate file, click Browse.
  13. To upload the certificate file to the BIG-IP system, click Import.
  14. To import each SSL certificate and key pair, repeat steps 5 through 13.

Configuring the fallback (default) client SSL profile

The system uses the fallback client SSL profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support. You can assign only one fallback SSL profile to each TLS SNI virtual server. To configure the fallback client SSL profile, perform the following procedure:

Note: For clients that do not support TLS SNI, if the requested server name does not match the certificate and key pair for the fallback profile, clients receive certificate warnings.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. If you have not done so, log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Click SSL.
  5. Click Client.
  6. Click Create.
  7. In the Name box, type a name for the fallback client SSL profile.
  8. From the Configuration menu, select Advanced.
  9. Select the Certificate Key Chain check box, and select the desired certificate and key for fallback.

    Note: For BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key checkboxes, and then select the desired certificates and keys for fallback.

  10. Check both the boxes for Default SSL Profile for SNI.
  11. Optional: Configure the remaining client SSL profile options, as desired.
  12. Click Finished.

Configuring the client SSL profiles for TLS SNI

To support TLS SNI, you must configure one client SSL profile per HTTPS site. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Click SSL.
  5. Click Client.
  6. Click Create.
  7. In the Name box, type a name for a HTTPS site’s client SSL profile.
  8. From the Configuration menu, select Advanced.
  9. Select the Certificate Key Chain check box, and select the desired certificate and key for the HTTPS site.

    Note: For BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes, and then select the desired certificate and key for the HTTPS site.

  10. Select the Server Name check box.
  11. Type the name of the HTTPS site in the Server Name box.

    Note: The Server Name must match the Common Name of the certificate that you selected in step 6.

  12. Optional: Configure the remaining client SSL profile options, as desired.
  13. Click Finished.
  14. Repeat steps 7 through 13 for each HTTPS site.

Configuring the virtual server for TLS SNI

To configure a virtual server for TLS SNI, you must assign the related client SSL profiles to the virtual server. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Virtual Servers.
  4. Click Virtual Server List.
  5. Click Create.
  6. In the Name box, type the name of the virtual server.
  7. In the Address box, type the IP address of the virtual server.
  8. In the Service Port box, type the listening port number of the virtual server.
  9. From the HTTP Profile menu, select the appropriate HTTP profile.
  10. Select the backup client SSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
  11. Select the HTTPS site’s client SSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
  12. Repeat the previous step for each HTTPS site.
  13. Optional: Configure the remaining virtual server options, as desired.
  14. Click Finished.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)