The TLS protocol
has somewhat recently provided the ability to pass a “desired servername” as a
value in the originating SSL handshake.
SNI (listed in RFC 4366)
is an extension to the TLS protocol that allows the client to include the
requested hostname in the first message of the SSL handshake (Client Hello).
This allows the server to determine the correct named host for the request and
setup the connection accordingly from the start.
wildcard
certificate:
allows for unlimited subdomains to be protected with a single
certificate. For example, you could use a wildcard certificate for the domain
name opensrs.com and that cert would also work for mail.opensrs.com,
ftp.opensrs.com and any other subdomain. The wildcard refers to the fact that
the cert is provisioned for *.opensrs.com.
SAN certificate: allows for multiple domain names
to be protected with a single certificate. For example, you could get a
certificate for opensrs.com, and then add more SAN values to have the same
certificate protect opensrs.org, opensrs.net and even tucows.com.
Legacy Secure Connection:
Secure Connection with SNI:
Internet Explorer 7
or later, on Windows Vista or higher. Does not work on Windows XP, even
Internet Explorer 8 (the support of this feature is not browser version
dependent, it depends on SChannel system component which introduced the support
of TLS SNI extension, starting from Windows Vista, not XP).
Mozilla Firefox 2.0
or later
Opera 8.0 (2005) or
later (the TLS 1.1 protocol must be enabled)
Opera Mobile at
least version 10.1 beta on Android
Google Chrome
(Vista or higher. XP on Chrome 6 or newer. OS X 10.5.7 or higher on Chrome
5.0.342.1 or newer)
Safari 3.0 or later
(Mac OS X 10.5.6 or higher and Windows Vista or higher)
Konqueror/KDE 4.7
or later
MobileSafari in
Apple iOS 4.0 or later
Android default
browser on Honeycomb (v3.x) or newer
Windows Phone 7
MicroB on Maemo
MicroB on Maemo
Odyssey on MorphOS
Simplified Six Steps:
- Import Key.
- Click on Key and import certificate.
- Create Fallback profile as a SNI default – Enable Default SSL Profile for SNI.
- Create separate Client SSL Profile for each imported Certificate (Each with a unique Certificate).
- Enable Server name while creating SSL Client Profile and Leave the server name field Blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate.
- Apply all the SSL profiles to the single virtual server along with the Fallback Profile Configured.
- You are Done with the configuration.
LTM Configuration:
Importing the SSL certificate
and key pairs for each server name:
- Log in to the Configuration utility.
- Click System.
- Click File Management.
- Click SSL Certificate List.
- Click Import.
- From the Import Type menu, select Key.
- In the Key Name box, type a name for
the certificate and key pair.
- To locate the key file, click Browse.
- To upload the key file to the BIG-IP system,
click Import.
- Click the name of the certificate and key pair
from the SSL Certificate List.
- Click Import.
- To locate the certificate file, click Browse.
- To upload the certificate file to the BIG-IP
system, click Import.
- To import each SSL certificate and key pair,
repeat steps 5 through 13.
Configuring the base client
SSL profile:
- If you have not done so, log in to the Configuration
utility.
- Click Local Traffic.
- Click Profiles.
- Click SSL.
- Click Client.
- Click Create.
- In the Name box, type a name for the
base client SSL profile.
- Optional: Configure the remaining client SSL
profile options, as desired.
- Click Finished.
Configuring the fallback
(default) client SSL profile:
- If you have not done so, log in to the
Configuration utility.
- Click Local Traffic.
- Click Profiles.
- Click SSL.
- Click Client.
- Click Create.
- In the Name box, type a name for the
fallback client SSL profile.
- For the Parent Profile setting, select
the base client SSL profile you have created in the Configuring the base client SSL profile
procedure.
- From the Configuration menu, select Advanced.
- Select the Certificate Key
Chain check box, select the desired certificate and key for fallback,
and click Add. Note: For BIG-IP versions earlier than 11.5.0, select the individual
Certificate and Key checkboxes, and then select the desired
certificates and keys for fallback.
- Check both the boxes for Default SSL
Profile for SNI.
- Optional: Configure the remaining client SSL
profile options, as desired.
- Click Finished.
Configuring the client SSL
profiles for TLS SNI:
- Log in to the Configuration utility.
- Click Local Traffic.
- Click Profiles.
- Click SSL.
- Click Client.
- Click Create.
- In the Name box, type a name for a
HTTPS site’s client SSL profile.
- For the Parent Profile setting, select
the base client SSL profile you have created in the Configuring the base client SSL profile
procedure.
- From the Configuration menu, select Advanced.
- Select the Certificate Key
Chain check box, select the desired certificate and key for the HTTPS
site, and click Add. Note: For BIG-IP versions earlier than 11.5.0, select the individual Certificate
and Key check boxes, and then select the desired certificate and
key for the HTTPS site.
- Select the Server Name check box.
- Type the name of the HTTPS site
in the Server Name box. Note: Beginning in BIG-IP 11.6.0, if you leave the Server Name box
blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the
certificate. For versions prior to BIG-IP 11.6.0, if you leave the Server
Name box blank, the BIG-IP system reads the Common Name (CN) from the
certificate.
- Optional: Configure the remaining client SSL
profile options, as desired.
- Click Finished.
- Repeat steps 7 through 13 for each HTTPS site.
Server Name:
Specifies the fully
qualified DNS hostname of the server that is used in SNI communications. Using
the server name, the Local Traffic Manager can choose from multiple SSL
profiles prior to the SSL Handshake. If no value is specified, the system
uses the Common Name value from the default certificate. The default for
this setting leaves the name blank. For
Client SSL profiles, you can type a comma-separated list of domain names in the
Server Name box. For Server SSL profiles, you can type a single
domain name only (note that the wildcard character (*) is supported within any
domain name that you specify)
Default SSL Profile for SNI :
Indicates
that the system uses this profile as the default SSL profile when there is no
match to the server name, or when the client provides no SNI extension support.
Note that when assigning multiple SSL profiles to a single virtual server, you
can enable this setting on one Client SSL profile only and on one Server SSL
profile only. The default for this setting is unchecked.
Require Peer SNI support:
Requires
that all network peers provide SNI support as well. If you enable both
"Default SSL Profile for SNI" and "Require Peer SNI
Support," the system terminates the connection when the client provides no
SNI extension. The default for this setting is unchecked.
Configuring the virtual server
for TLS SNI:
- Log in to the Configuration utility.
- Click Local Traffic.
- Click Virtual Servers.
- Click Virtual Server List.
- Click Create.
- In the Name box, type the name of the
virtual server.
- In the Address box, type the IP address
of the virtual server.
- In the Service Port box, type the
listening port number of the virtual server.
- From the HTTP Profile menu, select the
appropriate HTTP profile.
- Select the backup client SSL profile created
in the previous procedure from the Available box for SSL Profile
(Client), and click the << button.
- Select the HTTPS site’s client SSL profile
created in the previous procedure from the Available box for SSL
Profile (Client), and click the << button.
- Repeat the previous step for each HTTPS site.
- Optional: Configure the remaining virtual
server options, as desired.
- Click Finished.
Reference Link:
https://support.f5.com/csp/#/article/K13452
No comments:
Post a Comment