SSL termination on CSS11501 using host headers and single VIP

andrew-kearton · ‎12-17-2007

Hi,

I have a requirement to do SSL transparent proxy for multiple websites sharing the same VIP. I want to use the host header information from the client to decide which certificate to use.

I can't seem to find anything in the documentation on how to do this (if indeed it can be done).

I have tried to enter the same VIP on two servers in the SSL proxy list, but when I activate it I get the message:

Ssl-servers 30 and 40:

%% Cannot have same virtual Ip:port combination on two ssl-servers

Anyone out there know if this can be done?

Regards,

Andrew

Gilles Dufour · ‎12-26-2007

the host header is also encrypted.

So, you can't use this information to decide which key/certificate to use to decrypt the traffic.

This is a protocol limitation.

So you need to use one ip address/tcp port per certificate.

Gilles.

andrew-kearton · ‎12-26-2007

Hi Gilles,

Thanks for the reply. I have heard about "wildcard certificates" that support unlimited subdomains e.g certificate for

"*.abc.com" will support uat.abc.com, prod.abc.com, test.abc.com, dev.abc.com etc

Are these supported by the CSS, and would this be a way around the problem?

Regards,

Andrew

Gilles Dufour · ‎12-27-2007

yes, the CSS support wildcard certificate.

But a wildcard cert is usally given to a company.

So as you said, something like *.company.com.

G.