https://en.wikipedia.org/wiki/Server_Name_Indication
www websites 1 2 3
www1.example.com
www2.example.com
www3.example.com
So let's say that www1 needs to support TLS1.2 only and www2 and ww3 can support any of the other TLS version. The virtual_server is using one wildcard.cert for *.example.com.
How can you achieve this ? .............The answer is quite simple!
In the F5 client-side profile you will to replicate 3 client-side profile and defined the server_name in the profile.
And within that profile you can enable or disable the various SSL/TLS version from Negotiation between the Virtual-Server and client.
So in the end you will have 2 or 3 profiles
1: one for TLSv1.2 -only and www1.example.com for the server_name
2: one for www2.example.com and www3.example.com with the server_name and all TLSv1.x
3: or just one more as *.example.com and no server_name defined
Take a look at these client_side profiles
Local Traffc > Profile > SSL client www1.example.com
Local Traffc > Profile > SSL client www2.example.com and www3.example.com
e.g
curl --tlsv1.0 https://www1.example.com
curl --tlsv1.1 https://www1.example.com
curl --tlsv1.2 https://www1.example.com
and
curl --tlsv1.0 https://www2.example.com
curl --tlsv1.1 https://www2.example.com
curl --tlsv1.2 https://www2.example.com
and
Ken
Ken Felix
curl --tlsv1.0 https://www3.example.com
curl --tlsv1.1 https://www3.example.com
curl --tlsv1.2 https://www3.example.com
Only the allowed and enable TLS version should established based on the client_side ssl profile settings and the server_name entry
Ken
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment