12-17-2007 09:29 PM
Hi,
I have a requirement to do SSL transparent proxy for multiple websites sharing the same VIP. I want to use the host header information from the client to decide which certificate to use.
I can't seem to find anything in the documentation on how to do this (if indeed it can be done).
I have tried to enter the same VIP on two servers in the SSL proxy list, but when I activate it I get the message:
Ssl-servers 30 and 40:
%% Cannot have same virtual Ip:port combination on two ssl-servers
Anyone out there know if this can be done?
Regards,
Andrew
12-26-2007 02:45 AM
the host header is also encrypted.
So, you can't use this information to decide which key/certificate to use to decrypt the traffic.
This is a protocol limitation.
So you need to use one ip address/tcp port per certificate.
Gilles.
12-26-2007 01:42 PM
Hi Gilles,
Thanks for the reply. I have heard about "wildcard certificates" that support unlimited subdomains e.g certificate for
"*.abc.com" will support uat.abc.com, prod.abc.com, test.abc.com, dev.abc.com etc
Are these supported by the CSS, and would this be a way around the problem?
Regards,
Andrew
12-27-2007 02:07 AM
yes, the CSS support wildcard certificate.
But a wildcard cert is usally given to a company.
So as you said, something like *.company.com.
G.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide