Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL termination on CSS11501 using host headers and single VIP

Hi,

I have a requirement to do SSL transparent proxy for multiple websites sharing the same VIP. I want to use the host header information from the client to decide which certificate to use.

I can't seem to find anything in the documentation on how to do this (if indeed it can be done).

I have tried to enter the same VIP on two servers in the SSL proxy list, but when I activate it I get the message:

Ssl-servers 30 and 40:

%% Cannot have same virtual Ip:port combination on two ssl-servers

Anyone out there know if this can be done?

Regards,

Andrew

3 REPLIES
Cisco Employee

Re: SSL termination on CSS11501 using host headers and single VI

the host header is also encrypted.

So, you can't use this information to decide which key/certificate to use to decrypt the traffic.

This is a protocol limitation.

So you need to use one ip address/tcp port per certificate.

Gilles.

New Member

Re: SSL termination on CSS11501 using host headers and single VI

Hi Gilles,

Thanks for the reply. I have heard about "wildcard certificates" that support unlimited subdomains e.g certificate for

"*.abc.com" will support uat.abc.com, prod.abc.com, test.abc.com, dev.abc.com etc

Are these supported by the CSS, and would this be a way around the problem?

Regards,

Andrew

Cisco Employee

Re: SSL termination on CSS11501 using host headers and single VI

yes, the CSS support wildcard certificate.

But a wildcard cert is usally given to a company.

So as you said, something like *.company.com.

G.

239
Views
0
Helpful
3
Replies