K13452: Configure a Virtual Server to Serve Multiple HTTPS Sites Using the TLS Server Name Indication Feature

K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

Non-Diagnostic

Original Publication Date: Apr 24, 2019

Update Date: Nov 3, 2020

Topic

Purpose

You should consider using these procedures under the following condition:

You want to configure a single virtual server to serve multiple HTTPS sites using the Transport Layer Security (TLS) SNI feature.

Prerequisites

You must meet the following prerequisite to use these procedures:

The certificate and key pairs for each of the HTTPS sites must be hosted on the virtual server.

Description

Prior to the introduction of TLS SNI (Server Name Indication) as part of the TLS extensions, a single virtual server could not host multiple secure websites because the destination server name can be decoded from the HTTP request header only after the SSL connection has been established.

With the introduction of TLS SNI, the client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect, in the ClientHello packet, during the SSL handshake process. The server that supports TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello packet during the SSL handshake. As a result, the client can establish secure connections to the secure website from the list of multiple secure websites that are hosted on a single virtual server.

To support the TLS SNI feature, a virtual server must be assigned a default SSL profile for fallback and one SSL profile per HTTPS site. The fallback SSL profile is used when the server name does not match or when the client does not support the TLS SNI extensions. The following list is an example of the sequence of events that may occur when two clients, clientA (which supports the TLS SNI extension) and clientB (which does not support the TLS SNI extension), attempt to establish secure connections with the HTTPS site my. site1.com that is hosted on the TLS SNI virtual server:

1. clientA establishes a TCP connection to the TLS SNI virtual server. 2. clientA indicates the server name my.site1.com in its ClientHello packet and forwards the ClientHello packet to the TLS SNI virtual server. 3. 3. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet. 4. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured. 5. The TLS SNI virtual server returns mysite1profile's SSL certificate in its ServerHello packet to clientA. 6. clientA establishes a secure connection to the TLS SNI virtual server after it successfully negotiates the remaining SSL options during the SSL handshake. 7. clientB establishes a TCP connection to the TLS SNI virtual server. 8. clientB does not support TLS SNI extension, hence there is no server name indicated in its ClientHello packet to the TLS SNI virtual server. 9. The TLS SNI virtual server observes no SNI extension in the received ClientHello packet and selects the fallback SSL profile mydefaultprofile. 10. The TLS SNI virtual server returns mydefaultprofile's SSL certificate (with CN my.default.com) in its ServerHello packet to clientB. 11. clientB warns of a possible certificate mismatch when it receives the SSL certificate (with CN my. default.com) from the ServerHello packet.

In BIG-IP 13.x and earlier, F5 requires that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:

Ciphers Client Authentication Client Certificate Frequency Certificate Chain Traversal Depth Advertised Certificate Authorities Certificate Revocation List (CRL)

The BIG-IP system displays an error message that appears similar to the following example if any of the settings are non-matching:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/

In BIG-IP 14.x and later, each client SSL profile attached to a single virtual server can have different security settings.

Additionally, the BIG-IP system displays this error message if you attempt to reconfigure the previously mentioned settings in any of the SSL/TLS SNI profiles associated with the same virtual server. To avoid this error message in subsequent attempts to reconfigure the previously mentioned settings, F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL /TLS SNI profiles associated to the same virtual server.

Note that there is no automatic mechanism which allows the BIG-IP system to select SSL profile based on Server Name value received in the client SSL Hello message. However, with additional help of an iRule you can force selection of proper ServerSSL profile based on the host-name header value received in initial HTTP request from the client. For example: when HTTP_REQUEST { set hostname [getfield [HTTP::host] ":" 1] } when SERVER_CONNECTED { switch -glob [string tolower $hostname] { "siteA.com" { SSL::profile serverssl-siteA } "siteB.com" { SSL::profile serverssl-siteB } default { #default serversssl profile to be selected if Host header value cannot be matched with predefined values SSL::profile serverssl } } }

Note that you must configure the ServerSSL profiles to be attached to the virtual servers with the proper server name. For more information, refer to the procedures in this article.

In BIG-IP 15.1.0, a new virtual server parameter called serverssl-use-sni is added. If multiple server SSL profiles are configured and serverssl-use-sni is enabled, the system selects the server SSL profile whose server name matches the SNI extension in ClientHello. This means that an iRule is no longer required in order to select the appropriate ServerSSL profile based on SNI. This parameter is disabled by default and you can enable it only using the following command:

# tmsh modify ltm virtual httpsVS serverssl-use-sni enabled # tmsh save sys config

For more information, refer to Bug ID 559004.

Procedures

To configure multiple HTTPS sites using TLS SNI, you must perform the following procedures:

Import the SSL certificate and key pairs for each server name Configure the base client SSL profile Configure the fallback (default) client SSL profile Configure the Client SSL profiles for TLS SNI Configure the virtual server for TLS SNI Test the TLS SNI virtual server

Import the SSL certificate and key pairs for each server name Before you begin configuring the BIG-IP objects for TLS SNI, you must import, to the BIG-IP system, all of the SSL certificate and key pairs that belong to the multiple HTTPS sites. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.

Note: In versions prior to BIG-IP 13.x, go to System > File Management > SSL Certificate List.

3. Select Import. 4. For Import Type, select Key. 5. For Key Name, enter a name for the certificate and key pair. 6. To locate the key file, select Browse or Choose File, depending on your browser. 7. To upload the key file to the BIG-IP system, select Import. 8. Select the name of the certificate and key pair from the SSL Certificate List. 9. Select Import. 10. To locate the certificate file, select Browse or Choose File, depending on your browser. 11. To upload the certificate file to the BIG-IP system, select Import. 12. To import each SSL certificate and key pair, repeat steps 2 through 11.

Configure the base client SSL profile

To facilitate subsequent reconfiguration of the Cipher and/or Client Authentication settings described in the earlier part of this article, you should create a base client SSL profile to serve as the parent profile of the SSL/TLS SNI profiles associated with the same virtual server. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > Profiles > SSL > Client. 3. Select Create. 4. For Name, enter a name for the base client SSL profile. 5. Optional: Configure the remaining client SSL profile options. 6. Select Finished.

Configure the fallback (default) Client SSL profile

The system uses the fallback client SSL profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support. You can assign only one fallback SSL profile to each TLS SNI virtual server. To configure the fallback client SSL profile, perform the following procedure:

Note: You can skip this procedure if you have an SNI enabled virtual server with a fallback client SSL profile that is already configured and assigned. Additionally, for clients that do not support TLS SNI, if the requested server name does not match the certificate and key pair for the fallback profile, clients receive certificate warnings. Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > Profiles > SSL > Client. 3. Select Create. 4. For Name, enter a name for the fallback client SSL profile. 5. For Parent Profile, select the base client SSL profile you have created in the Configuring the base client SSL profile procedure. 6. For Configuration, select Advanced. 7. Select the Certificate Key Chain check box and then perform one of the following actions: In BIG-IP 12.0.0 and later, select Add, then select the certificate and key for the HTTPS site, and select Add again. In BIG-IP 11.5.x through 11.6.x, select the certificate and key for the HTTPS site and then select Add. In BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes, and then select the certificate and key for the HTTPS site. 8. Select both check boxes for Default SSL Profile for SNI. 9. Optional: Configure the remaining client SSL profile options. 10. Select Finished.

Configure the client SSL profiles for TLS SNI

To support TLS SNI, you must configure one client SSL profile per HTTPS site. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > Profiles > SSL > Client. 3. Select Create. 4. For Name, enter a name for a HTTPS site?s client SSL profile. 5. For Parent Profile, select the base client SSL profile you have created in the Configuring the base client SSL profile procedure. 6. For Configuration, select Advanced. 7. Select the Certificate Key Chain check box and then perform one of the following actions: In BIG-IP 12.0.0 and later, select Add, then select the certificate and key for the HTTPS site, and select Add again. In BIG-IP 11.5.x through 11.6.x, select the certificate and key for the HTTPS site and then select Add. In BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes, and then select the certificate and key for the HTTPS site. 8. Select the Server Name check box. 9. For Server Name, enter the name of the HTTPS site.

Note: Beginning in BIG-IP 11.6.0, if you leave Server Name blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate. For versions prior to BIG-IP 11.6.0, if you leave Server Name blank, the BIG-IP system reads the Common Name (CN) from the certificate. 9.

Additionally, the Server Name setting supports wildcard strings containing the asterisk (*) character. For example, *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com).

10. Optional: Configure the remaining client SSL profile options. 11. Select Finished. 12. Repeat steps 2 through 11 for each HTTPS site.

Configure the virtual server for TLS SNI

To configure a virtual server for TLS SNI, you must assign the related client SSL profiles to the virtual server. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > Virtual Servers > Virtual Server List. 3. Select Create. 4. For Name, enter the name of the virtual server. 5. For Destination Address/Mask, enter the IP address of the virtual server.

Note: In BIG-IP versions prior to 12.1.0, this box is named Destination Address or Destination.

6. For Service Port, enter the listening port number of the virtual server. 7. For HTTP Profile (Client), select the appropriate HTTP profile.

Note: In BIG-IP versions prior to 14.1.0, this list is named HTTP Profile.

8. For SSL Profile (Client): Select the backup client SSL profile created in the previous procedure in the Available box and move it to the Selected box. Select the HTTPS site?s client SSL profile created in the previous procedure in the Available box and move it to the Selected box. 9. Repeat the previous step to add more client SSL profiles that were previously created for each HTTPS site. 10. Optional: Configure the remaining virtual server options. 11. Select Finished.

Test the TLS SNI virtual server

To test connections to the TLS SNI virtual server, you can use openssl utility. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log into a client, such as a Linux host, that has the OpenSSL toolkit installed and has access to the BIG-IP virtual server. 2. To verify that the virtual server returns the SSL certificate for the fallback SSL profile, use the following command syntax: 2.

openssl s_client -connect :

For example:

openssl s_client -connect 1.1.1.1:443

Because the command does not specify the server name, the virtual sever should return the certificate from the fallback SSL profile.

3. To verify that the virtual server returns the SSL certificate for the TLS SNI SSL profile, use the following command syntax:

openssl s_client -servername -connect :

For example:

openssl s_client -servername abc.domain.com -connect 1.1.1.1:443

Because the command specifies the SNI server name, the virtual sever should return the certificate from the TLS SNI SSL profile.

Supplemental Information

K16583: The Client SSL profile may use SAN hostnames from an SSL certificate K6823: Creating a wildcard certificate request for multiple HTTPS sites K11438: Creating SSL SAN certificates and CSRs using OpenSSL SSL Profiles Part 7: Server Name Indication on DevCentral Bug ID 674106

Applies to:

Product: BIG-IP, BIG-IP AAM, BIG-IP APM, BIG-IP ASM, BIG-IP LTM 16.X.X, 15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.6.X, 11.5.X, 11.4.X, 11.3.X, 11.2.X, 11.1.X

Product: Legacy Products, BIG-IP WebAccelerator, BIG-IP WOM, BIG-IP PSM, BIG-IP Edge Gateway 16.X.X, 15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.6.X, 11.5.X, 11.4.X, 11.3.X, 11.2.X, 11.1.X