K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server

Name Indication feature

Non-Diagnostic

Original Publication Date: Apr 24, 2019

Update Date: Feb 5, 2020

Topic

Purpose

You should consider using these procedures under the following condition:

You want to configure a single virtual server to serve multiple HTTPS sites using the Transport Layer
Security (TLS) SNI feature.

Prerequisites

You must meet the following prerequisite to use these procedures:

The certificate and key pairs for each of the HTTPS sites must be hosted on the virtual server.

Description

Prior to the introduction of TLS SNI as part of the TLS extensions, a single virtual server could not host
multiple secure websites. This was the case because the destination server name can be decoded from the
HTTP request header only after the SSL connection has been established.

With the introduction of TLS SNI, the client that supports TLS SNI can indicate the name of the server to
which the client is attempting to connect, in the ClientHello packet, during the SSL handshake process. The
server that supports TLS SNI can use this information to select the appropriate SSL certificate to return to
the client in the ServerHello packet during the SSL handshake. As a result, the client can establish secure
connections to the secure website from the list of multiple secure websites that are hosted on a single
virtual server.

To support the TLS SNI feature, a virtual server must be assigned a default SSL profile for fallback and one
SSL profile per HTTPS site. The fallback SSL profile is used when the server name does not match or when
the client does not support the TLS SNI extensions. The following list is an example of the sequence of
events that may occur when two clients, clientA (which supports the TLS SNI extension) and clientB (which
does not support the TLS SNI extension), attempt to establish secure connections with the HTTPS site my.
site1.com that is hosted on the TLS SNI virtual server:

1. clientA establishes a TCP connection to the TLS SNI virtual server.

2. clientA indicates the server name my.site1.com in its ClientHello packet and forwards the ClientHello
packet to the TLS SNI virtual server.
3.
 3. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received
ClientHello packet.
4. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile
mysite1profile that has the server name my.site1.com configured.
5. The TLS SNI virtual server returns mysite1profile's SSL certificate in its ServerHello packet to clientA.
6. clientA establishes a secure connection to the TLS SNI virtual server after it successfully negotiates
the remaining SSL options during the SSL handshake.
7. clientB establishes a TCP connection to the TLS SNI virtual server.
8. clientB does not support TLS SNI extension, hence there is no server name indicated in its
ClientHello packet to the TLS SNI virtual server.
9. The TLS SNI virtual server observes no SNI extension in the received ClientHello packet and selects
the fallback SSL profile mydefaultprofile.
10. The TLS SNI virtual server returns mydefaultprofile's SSL certificate (with CN my.default.com) in its
ServerHello packet to clientB.
11. clientB warns of a possible certificate mismatch when it receives the SSL certificate (with CN my.
default.com) from the ServerHello packet.

In BIG-IP 13.x and earlier,  F5 requires that you configure the following settings with the same values for all
of the SSL/TLS SNI profiles associated with the same virtual server:

Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)

The BIG-IP system displays an error message that appears similar to the following example if any of the
settings are non-matching:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/<virtual
server>

In BIG-IP 14.x and later, each client SSL profile attached to a single virtual server can have different
security settings.

Additionally, the BIG-IP system displays this error message if you attempt to reconfigure the previously
mentioned settings in any of the SSL/TLS SNI profiles associated with the same virtual server. To avoid this
error message in subsequent attempts to reconfigure the previously mentioned settings, F5 recommends
that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL
/TLS SNI profiles associated to the same virtual server.
Also please notice that there is no automatic mechanism which would allow BigIP to select SSL profile
based on "Server Name" value received in the client SSL Hello message.
Nonetheless with additional help of an iRule you could force selection of proper serverssl profile based on
the "host-name" header value received in initial HTTP request from the client.
For instance:
when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] ":" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    "siteA.com" {
        SSL::profile serverssl-siteA
    }
    "siteB.com" {
        SSL::profile serverssl-siteB
    }
  default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
    SSL::profile serverssl
 }
}
}

Please note that serverssl profile that are going to be attached to the Virtual Servers must be configured
with proper "Server Name". More detailed steps regarding this matter can be found in the remaining part of
the article below.
Please note that request for TLS SNI server side support has been registered under ID559004 and is
planned to be released in future BigIP version.

Procedures

To configure multiple HTTPS sites using TLS SNI, you must perform the following procedures:

Importing the SSL certificate and key pairs for each server name
Configuring the base client SSL profile
Configuring the fallback (default) client SSL profile
Configuring the Client SSL profiles for TLS SNI
Configuring the virtual server for TLS SNI
Testing the TLS SNI virtual server

Importing the SSL certificate and key pairs for each server name

Before you begin configuring the BIG-IP objects for TLS SNI, you must import, to the BIG-IP system, all of
the SSL certificate and key pairs that belong to the multiple HTTPS sites. To do so, perform the following
procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
 2.

Note: In versions prior to BIG-IP 13.x, go to System > File Management > SSL Certificate List.

3. Select Import.
4. For Import Type, select Key.
5. For Key Name, enter a name for the certificate and key pair.
6. To locate the key file, select Browse or Choose File, depending on your browser.
7. To upload the key file to the BIG-IP system, select Import.
8. Select the name of the certificate and key pair from the SSL Certificate List.
9. Select Import.
10. To locate the certificate file, select Browse or Choose File, depending on your browser.
11. To upload the certificate file to the BIG-IP system, select Import.
12. To import each SSL certificate and key pair, repeat steps 2 through 11.

Configuring the base client SSL profile

To facilitate subsequent reconfiguration of the Cipher and/or Client Authentication settings described in the
earlier part of this article, you should create a base client SSL profile to serve as the parent profile of the
SSL/TLS SNI profiles associated with the same virtual server. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Select Create.
4. For Name, enter a name for the base client SSL profile.
5. Optional: Configure the remaining client SSL profile options.
6. Select Finished.

Configuring the fallback (default) Client SSL profile

The system uses the fallback client SSL profile as the default SSL profile when there is no match to the
server name, or when the client provides no SNI extension support. You can assign only one fallback SSL
profile to each TLS SNI virtual server. To configure the fallback client SSL profile, perform the following
procedure:

Note: You can skip this procedure if you have an SNI enabled virtual server with a fallback client SSL profile
that is already configured and assigned. Additionally, for clients that do not support TLS SNI, if the
requested server name does not match the certificate and key pair for the fallback profile, clients receive
certificate warnings.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Select Create.
4. For Name, enter a name for the fallback client SSL profile.
5. For Parent Profile, select the base client SSL profile you have created in the Configuring the base
client SSL profile procedure.

6.
 6. For Configuration, select Advanced.
7. Select the Certificate Key Chain check box and then perform one of the following actions:
In BIG-IP 12.0.0 and later, select  Add, then select the certificate and key for the HTTPS site,
and select Add again.
In BIG-IP 11.5.x through 11.6.x, select the certificate and key for the HTTPS site and then
select Add.
In BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes,
and then select the certificate and key for the HTTPS site.
8. Select both check boxes for Default SSL Profile for SNI.
9. Optional: Configure the remaining client SSL profile options.
10. Select Finished.

Configuring the client SSL profiles for TLS SNI

To support TLS SNI, you must configure one client SSL profile per HTTPS site. To do so, perform the
following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Select Create.
4. For Name, enter a name for a HTTPS site?s client SSL profile.
5. For Parent Profile, select the base client SSL profile you have created in the Configuring the base
client SSL profile procedure.
6. For Configuration, select Advanced.
7. Select the Certificate Key Chain check box and then perform one of the following actions:
In BIG-IP 12.0.0 and later, select Add, then select the certificate and key for the HTTPS site,
and select Add again.
In BIG-IP 11.5.x through 11.6.x, select the certificate and key for the HTTPS site and then
select Add.
In BIG-IP versions earlier than 11.5.0, select the individual Certificate and Key check boxes,
and then select the certificate and key for the HTTPS site.
8. Select the Server Name check box.
9. For Server Name, enter the name of the HTTPS site.

Note: Beginning in BIG-IP 11.6.0, if you leave the Server Name box blank, the BIG-IP system reads
the Subject Alternative Name (SAN) from the certificate. For versions prior to BIG-IP 11.6.0, if you
leave the Server Name box blank, the BIG-IP system reads the Common Name (CN) from the
certificate. Additionally, the Server Name setting supports wildcard strings containing the asterisk (*)
character. For example, *.domain.com matches a.domain.com or a.bc.domain.com, but it does not
match domain.com).

10. Optional: Configure the remaining client SSL profile options.

11. Select Finished.
12. Repeat steps 2 through 11 for each HTTPS site.
Configuring the virtual server for TLS SNI

To configure a virtual server for TLS SNI, you must assign the related client SSL profiles to the virtual
server. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > Virtual Servers > Virtual Server List.
3. Select Create.
4. For Name, enter the name of the virtual server.
5. For Destination Address/Mask, enter the IP address of the virtual server.

Note: In BIG-IP versions prior to 12.1.0, this box is named Destination Address or Destination.

6. For Service Port, enter the listening port number of the virtual server.
7. For HTTP Profile (Client), select the appropriate HTTP profile.

Note: In BIG-IP versions prior to 14.1.0, this list is named HTTP Profile.

8. For SSL Profile (Client):

Select the backup client SSL profile created in the previous procedure in the Available box and
move it to the Selected box.
Select the HTTPS site?s client SSL profile created in the previous procedure in the Available
box and move it to the Selected box.
9. Repeat the previous step to add more client SSL profiles that were previously created for each
HTTPS site.
10. Optional: Configure the remaining virtual server options.
11. Select Finished.

Testing the TLS SNI virtual server

To test connections to the TLS SNI virtual server, you can use openssl utility. To do so, perform the
following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log into a client, such as a Linux host, that has the OpenSSL toolkit installed and has access to the
BIG-IP virtual server.
2. To verify that the virtual server returns the SSL certificate for the fallback SSL profile, use the
following command syntax:

openssl s_client -connect <virtual server IP address>:<virtual server port>

For example:

openssl s_client -connect 1.1.1.1:443

 Because the command does not specify the server name, the virtual sever should return the
certificate from the fallback SSL profile.

3. To verify that the virtual server returns the SSL certificate for the TLS SNI SSL profile, use the
following command syntax:

openssl s_client -servername <server name> -connect <virtual server IP address>:<virtual server
port>

For example:

openssl s_client -servername abc.domain.com -connect 1.1.1.1:443

Because the command specifies the SNI server name, the virtual sever should return the certificate
from the TLS SNI SSL profile.

Supplemental Information

K16583: The Client SSL profile may use SAN hostnames from an SSL certificate
K6823: Creating a wildcard certificate request for multiple HTTPS sites
K11438: Creating SSL SAN certificates and CSRs using OpenSSL
SSL Profiles Part 7: Server Name Indication on DevCentral 
Bug ID 674106

Applies to:

Product: BIG-IP, BIG-IP AAM, BIG-IP APM, BIG-IP ASM, BIG-IP LTM
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.6.X, 11.5.X, 11.4.X, 11.3.X, 11.2.X, 11.1.X

Product: Legacy Products, BIG-IP WebAccelerator, BIG-IP WOM, BIG-IP PSM, BIG-IP Edge Gateway
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.6.X, 11.5.X, 11.4.X, 11.3.X, 11.2.X, 11.1.X