Multiple Certs on One VIP

The TLS protocol has somewhat recently provided the ability to pass a “desired servername” as a value in the originating SSL handshake.


SNI (listed in RFC 4366) is an extension to the TLS protocol that allows the client to include the requested hostname in the first message of the SSL handshake (Client Hello). This allows the server to determine the correct named host for the request and setup the connection accordingly from the start.  


wildcard certificate: allows for unlimited subdomains to be protected with a single certificate. For example, you could use a wildcard certificate for the domain name opensrs.com and that cert would also work for mail.opensrs.com, ftp.opensrs.com and any other subdomain. The wildcard refers to the fact that the cert is provisioned for *.opensrs.com.


SAN certificate: allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for opensrs.com, and then add more SAN values to have the same certificate protect opensrs.org, opensrs.net and even tucows.com.


Legacy Secure Connection:




Secure Connection with SNI:














According to Wikipedia, the following browsers support SNI

Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).
Mozilla Firefox 2.0 or later
Opera 8.0 (2005) or later (the TLS 1.1 protocol must be enabled)
Opera Mobile at least version 10.1 beta on Android
Google Chrome (Vista or higher. XP on Chrome 6 or newer. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
Safari 3.0 or later (Mac OS X 10.5.6 or higher and Windows Vista or higher)
Konqueror/KDE 4.7 or later
MobileSafari in Apple iOS 4.0 or later
Android default browser on Honeycomb (v3.x) or newer
Windows Phone 7
MicroB on Maemo
Odyssey on MorphOS


Simplified Six Steps:

  1. Import Key.
  2. Click on Key and import certificate.
  3. Create Fallback profile as a SNI default – Enable Default SSL Profile for SNI.
  4. Create separate Client SSL Profile for each imported Certificate (Each with a unique Certificate).
  5. Enable Server name while creating SSL Client Profile and Leave the server name field Blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate.
  6. Apply all the SSL profiles to the single virtual server along with the Fallback Profile Configured.
  7. You are Done with the configuration.




LTM Configuration:

Importing the SSL certificate and key pairs for each server name:

  1. Log in to the Configuration utility.
  2. Click System.
  3. Click File Management.
  4. Click SSL Certificate List.
  5. Click Import.
  6. From the Import Type menu, select Key.
  7. In the Key Name box, type a name for the certificate and key pair.
  8. To locate the key file, click Browse.
  9. To upload the key file to the BIG-IP system, click Import.
  10. Click the name of the certificate and key pair from the SSL Certificate List.
  11. Click Import.
  12. To locate the certificate file, click Browse.
  13. To upload the certificate file to the BIG-IP system, click Import.
  14. To import each SSL certificate and key pair, repeat steps 5 through 13.

Configuring the base client SSL profile:

  1. If you have not done so, log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Click SSL.
  5. Click Client.
  6. Click Create.
  7. In the Name box, type a name for the base client SSL profile.
  8. Optional: Configure the remaining client SSL profile options, as desired.
  9. Click Finished.

Configuring the fallback (default) client SSL profile:

  1. If you have not done so, log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Click SSL.
  5. Click Client.
  6. Click Create.
  7. In the Name box, type a name for the fallback client SSL profile.
  8. For the Parent Profile setting, select the base client SSL profile you have created in the Configuring the base client SSL profile procedure.
  9. From the Configuration menu, select Advanced.
  10. Select the Certificate Key Chain check box, select the desired certificate and key for fallback, and click Add. Note: For BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key checkboxes, and then select the desired certificates and keys for fallback.
  11. Check both the boxes for Default SSL Profile for SNI.
  12. Optional: Configure the remaining client SSL profile options, as desired.
  13. Click Finished.

Configuring the client SSL profiles for TLS SNI:

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Click SSL.
  5. Click Client.
  6. Click Create.
  7. In the Name box, type a name for a HTTPS site’s client SSL profile.
  8. For the Parent Profile setting, select the base client SSL profile you have created in the Configuring the base client SSL profile procedure.
  9. From the Configuration menu, select Advanced.
  10. Select the Certificate Key Chain check box, select the desired certificate and key for the HTTPS site, and click Add. Note: For BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes, and then select the desired certificate and key for the HTTPS site.
  11. Select the Server Name check box.
  12. Type the name of the HTTPS site in the Server Name box. Note: Beginning in BIG-IP 11.6.0, if you leave the Server Name box blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate. For versions prior to BIG-IP 11.6.0, if you leave the Server Name box blank, the BIG-IP system reads the Common Name (CN) from the certificate.
  13. Optional: Configure the remaining client SSL profile options, as desired.
  14. Click Finished.
  15. Repeat steps 7 through 13 for each HTTPS site.

Server Name:
Specifies the fully qualified DNS hostname of the server that is used in SNI communications. Using the server name, the Local Traffic Manager can choose from multiple SSL profiles prior to the SSL Handshake.  If no value is specified, the system uses the Common Name value from the default certificate.  The default for this setting leaves the name blank. For Client SSL profiles, you can type a comma-separated list of domain names in the Server Name box.  For Server SSL profiles, you can type a single domain name only (note that the wildcard character (*) is supported within any domain name that you specify)


Default SSL Profile for SNI :
Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.  Note that when assigning multiple SSL profiles to a single virtual server, you can enable this setting on one Client SSL profile only and on one Server SSL profile only.  The default for this setting is unchecked.
Require Peer SNI support:
Requires that all network peers provide SNI support as well. If you enable both "Default SSL Profile for SNI" and "Require Peer SNI Support," the system terminates the connection when the client provides no SNI extension.  The default for this setting is unchecked.


Configuring the virtual server for TLS SNI:

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Virtual Servers.
  4. Click Virtual Server List.
  5. Click Create.
  6. In the Name box, type the name of the virtual server.
  7. In the Address box, type the IP address of the virtual server.
  8. In the Service Port box, type the listening port number of the virtual server.
  9. From the HTTP Profile menu, select the appropriate HTTP profile.
  10. Select the backup client SSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
  11. Select the HTTPS site’s client SSL profile created in the previous procedure from the Available box for SSL Profile (Client), and click the << button.
  12. Repeat the previous step for each HTTPS site.
  13. Optional: Configure the remaining virtual server options, as desired.
  14. Click Finished.
Use the below link to check whether the Browser supports TLS SNI:


Reference Link:
  
https://support.f5.com/csp/#/article/K13452

No comments:

Post a Comment