Wednesday, June 21, 2017

Defining multiple sites with unique TLS protocol on f5 for compliance with TLS

Take a typical  websites hosted on a F5-LTM that using  a wildcard and SNI.


https://en.wikipedia.org/wiki/Server_Name_Indication


www websites 1 2 3

www1.example.com
www2.example.com
www3.example.com



So let's say that www1 needs to support TLS1.2 only and  www2 and ww3 can support any of the other TLS version. The virtual_server is using   one wildcard.cert for *.example.com.


How can you achieve this ?  .............The answer is quite simple!


In the F5 client-side profile you will to replicate  3  client-side profile and defined the server_name in the profile.

And within that profile you can enable or disable the  various SSL/TLS version from  Negotiation between the Virtual-Server and client.


So in the end you will have  2 or 3 profiles

1: one for  TLSv1.2 -only and  www1.example.com for the server_name
2: one for  www2.example.com and www3.example.com with the  server_name and all TLSv1.x
3: or just one more  as *.example.com and no server_name defined


Take a look at these client_side profiles

Local Traffc > Profile  >  SSL client  www1.example.com

Local Traffc > Profile  >  SSL client  www2.example.com and www3.example.com


 Than just test using curl and select the TLS version.

e.g


curl --tlsv1.0 https://www1.example.com
curl --tlsv1.1 https://www1.example.com
curl --tlsv1.2 https://www1.example.com


and



curl --tlsv1.0 https://www2.example.com
curl --tlsv1.1 https://www2.example.com
curl --tlsv1.2 https://www2.example.com

and

curl --tlsv1.0 https://www3.example.com
curl --tlsv1.1 https://www3.example.com
curl --tlsv1.2 https://www3.example.com


Only the allowed and enable TLS version should established based on the  client_side ssl profile settings and the server_name entry


Ken



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


1 comment:

  1. That's is really very nice post its all information is really helpful. Please Visit:

    ip vanish
    vyprvpn
    comparatif vpn

    ReplyDelete