[f-nsp] Serveriron SSL termination

Jonas Frey (Probe Networks) jf at probe-networks.de
Thu Sep 4 10:20:44 EDT 2014


Chris,

you are right, this is as of 12.4.00p (June/2014) not possible with the
ADX.
Brocade still doesnt support RFC3546.

If you need a SNI-capable Loadbalancer look at:
http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

You can only assign multiple ssl cert's to a virtual host if you
terminate/proxy them on different ports. Its not possible to distinguish
between hostnames.

-Jonas


Am Donnerstag, den 04.09.2014, 12:31 +0100 schrieb Chris Good:
> I'm considering adding SSL termination to our existing deployment of
> ADXs.  At present we funnel all SSL through a apache proxy layer that
> has multiple name based vhosts each with their own  certificate per
> vhost, this proxy shim then sends traffic to the non-ssl server. 
> 
> 
>  All the "real servers" in a cluster can handle all vhosts so we don't
> need multiple bind rules, we just need to be able to terminate with
> multiple ssl profiles on a single virtual server.  I've been reading
> through the ssl termination documentation but can't see any obvious
> way to hang multiple certificates off a single virtual server.  Am I
> missing something or is it not possible to define a virtual server
> with multiple profiles on the ADX?
> 
> 
> Chris
> 
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20140904/7c1410de/attachment.sig>


More information about the foundry-nsp mailing list