Alteon Application Switch Operating System Application Guide
Offloading SSL Encryption and Authentication
Document ID: RDWR-ALOS-V2900_AG1302 351
Alteon supports both SSL offloading with and without SNI, and there are various ways to
indicate domain names in certificates (common name, wildcards, subject alternative name
extension). The following is the order in which certificates are used in various scenarios (SSL
offloading certificate matching logic).
— Non-SNI configuration (i.e. a specific server certificate is associated to the virtual service)—
in this scenario, no matter whether or not there is an SNI in the SSL hello from the client,
the associated server certificate is returned to the client.
Note: Alteon is oblivious to the contents of the certificate. Therefore wildcard certificates or
Subject Alternative names (SAN) play no role and are supported.
— SNI configuration—in this scenario, the Alteon matching logic is as follows:
a. Match the client SNI content to the server's certificate common name (CNAME) in the
associated certificate group. If there is an exact match, send the matched server
certificate to the client.
b. Match the client SNI content to the server's certificate with wildcards, looking for a
match in the domain name, and ignoring the hostname. If there is a domain name
match (ignoring the hostname), send the matched wildcard server certificate to the
client.
c. Match the client SNI content to the server's certificate with Subject Alternative Names
(SAN) appearing in each of the servers' certificates in the certificate group. If there is an
exact match, send the matched server certificate to the client.
d. If there is no match between client SNI and any of the server domain names, the SSL
handshake fails.
e. Whenever no SNI is sent by the client in SSL hello, use the "default" certificate defined
in the certificates group and return it to the client.
6. Create Layer7 content switching rules to select the Server group by domain name. See Example
Content-Intelligent Server Load Balancing, page 219 for more information about using content
switching rules and classes.
>> SSL Load Balancing# srvrcert
Current SSL server certificate: none
Enter new SSL server certificate or group
[cert|group|none] [none]: group
Enter new SSL server certificate: group1
(Associate the defined server
certificate group)
>> SSL Load Balancing# sslpol myPol
(Associate a SSL policy)
To Next Page
Loading...
Need help?
General