SSL termination on CSS11501 using host headers and single VIP

Unanswered Question
Dec 17th, 2007
User Badges:

Hi,

I have a requirement to do SSL transparent proxy for multiple websites sharing the same VIP. I want to use the host header information from the client to decide which certificate to use.

I can't seem to find anything in the documentation on how to do this (if indeed it can be done).

I have tried to enter the same VIP on two servers in the SSL proxy list, but when I activate it I get the message:

Ssl-servers 30 and 40:

%% Cannot have same virtual Ip:port combination on two ssl-servers


Anyone out there know if this can be done?


Regards,

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 12/26/2007 - 02:45
User Badges:
  • Cisco Employee,

the host header is also encrypted.

So, you can't use this information to decide which key/certificate to use to decrypt the traffic.

This is a protocol limitation.

So you need to use one ip address/tcp port per certificate.


Gilles.

andrew-kearton Wed, 12/26/2007 - 13:42
User Badges:

Hi Gilles,

Thanks for the reply. I have heard about "wildcard certificates" that support unlimited subdomains e.g certificate for

"*.abc.com" will support uat.abc.com, prod.abc.com, test.abc.com, dev.abc.com etc


Are these supported by the CSS, and would this be a way around the problem?


Regards,

Andrew

Gilles Dufour Thu, 12/27/2007 - 02:07
User Badges:
  • Cisco Employee,

yes, the CSS support wildcard certificate.

But a wildcard cert is usally given to a company.

So as you said, something like *.company.com.


G.

Actions

This Discussion