topic Re: Multiple certificates on the same shared SSL VIP possible us in Application Networking

Multiple certificates on the same shared SSL VIP possible using a CSS?

scottmcgillivray — Sun, 27 Feb 2011 15:54:31 GMT

Hi again,

Does anyone know if it's possible to use the same VIP with different certificates on a CSS 11503? For example with the below config, contained in the same ssl-proxy-list, have one VIP assigned to multiple certificates.

ssl-proxy-list TESTPUB_SSL

ssl-server 100
ssl-server 100 rsacert site1cert
ssl-server 100 rsakey site1key
ssl-server 100 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
ssl-server 100 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
ssl-server 100 vip address 10.20.30.40
ssl-server 200
ssl-server 200 rsacert site2cert
ssl-server 200 rsakey site2key
ssl-server 200 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
ssl-server 200 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
ssl-server 200 vip address 10.20.30.40
active

I found several discussions on this topic and the conclusion was that it's not possible but these examples were all using multiple ssl-proxy-lists.I'm thinking that if it's in the same proxy-list that it might?

We have a small development/testing setup which I'd like to use one public IP as a front to all the backend servers but two of the backend servers use different SSL cert's. I am planning to use L5 rules to send traffic to the relevant servers/services depending on URL but want to perform SSL offload on the CSS hence why i want multiple certs working off one shared VIP.

Hopefully that makes sense. Thanks for reading and any advice.

Scott

Re: Multiple certificates on the same shared SSL VIP possible us

Gilles Dufour — Mon, 28 Feb 2011 16:02:58 GMT

How do you know which certificate to use ???

The reason it's not possible is because the SSL protocol does not allow us to do it.

To see the HTTP request and the url you need to decrypt the traffic.

And to decrypt the traffic you need to know which certificate to use.

Therefore, you have to use the ip address or the tcp port to distinguish the connections and select the appropriate certificate.

Gilles.

Re: Multiple certificates on the same shared SSL VIP possible us

scottmcgillivray — Mon, 28 Feb 2011 17:33:38 GMT

ok many thanks, i'll add a 'port 444' clause to one of the ssl-proxy entries to differentiate it.

Scott

Re: Multiple certificates on the same shared SSL VIP possible us

ahmed.gadi — Thu, 26 May 2011 06:39:43 GMT

Hi scott,

Has it worked for you ?

I have same scenario. can you please confirm ?

Regards

Ahmed...

Re: Multiple certificates on the same shared SSL VIP possible us

scottmcgillivray — Thu, 26 May 2011 07:26:27 GMT

sadly you can't use L5/url rules to dictate which certificate is used so I had to just use a differnt port other than 443 for each additional ssl policy i wanted on the same vip.In my case i just used 444 and told the web dev team to link there since it was just a QA environment.

So just use the 'port 444' option within both the content and ssl-proxy-list config stanzas to link the VIP to the correct ssl cert.

hope that helps

Scott

Re: Multiple certificates on the same shared SSL VIP possible us

ahmed.gadi — Thu, 26 May 2011 09:26:24 GMT

thanks scott,

I am with customer now and genearted 2 CSRs and send them to verisign.

I will do as you explain and will update you.

Regards

Ahmed...