CSS SSL Keepalives

Similar Messages

• CSS/SSL termination - cypher negotiation Q

  Hi everyone
  question regarding SSL termination on CSS/SSL module.
  I have several several cyphers in my ssl-proxy list,
  What is the algorithm to choose the cypher ?
  I may assume that CSS and browser negotiate it during SSL session establishing.
  The testing shows that same browser gets different cyphers when it hits
  different CSSs (cyphers are in the same order in proxy-lists on CSSs)
  Thanks
  Alex

  Alex,
  it's not really an algorithm.
  The browser selects the first cipher that matches its requirements in the list presented by the server/CSS.
  The CSS builds a list in the order of weight.
  If you did not specify any weight, the list can be random depending in which order you entered the command.
  I would say, if you want a specific cipher to be selected, use a highest weight for this cipher.
  Gilles.

• How many CSS SSL certificates needed?

  From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.

  A quick (I hope) follow-up question on this...
  Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:
  ssl associate rsakey prodkey prodkey.pem
  ssl associate cert prodcert prodcert.pem
  ssl associate dhparam proddh proddh.pem
  ssl associate rsakey intkey intkey.pem
  ssl associate cert intcert intcert.pem
  ssl associate dhparam intdh intdh.pem

• CSS SSL Scripted Keepalive

  Hi Guys,
  Is it possible to write a custom script to open an ssl socket and then check a url??
  Thanks
  Scott

  Scott,
  this is not possible.
  The scripting language does not have encryption/decryption capabilities.
  Gilles.

• CSS 11503 - Keepalive

  Hi
  At present we have various servers which use a basic keepalive of tcp port 8002. What we have discovered recently is if the servers experience other problems (for example i-cap errors).
  Is there any way the CSS can identify these errors and then take the service down and not use the server until the issue i resolved?
  Thanks
  James

  Gilles:
  I know this is a two years old, but need some help with the issue regarding this post. I need to have a script keepalive to verify the content of a page. I tried what you mentioned here, but my service won't come up. My set up is this:
  SERVICE
  service serbancasawebback
  type ssl-accel-backend
  add ssl-proxy-list bhdssl
  keepalive type script ap-kal-httptagban
  protocol tcp
  port 80
  ip address 192.168.249.23
  active
  The script I used is as follows:
  !no echo
  ! Filename: ap-kal-httptagban
  ! Parameters: HostName WebPage HostTag
  ! Description:
  ! This script will connect to the remote host and do an HTTP
  ! GET method upon the web page that the user has asked for.
  ! This script also adds a host tag to the GET request.
  ! Failure Upon:
  ! 1. Not establishing a connection with the host.
  ! 2. Not receiving an HTTP status “200 OK”
  if ${ARGS}[#] “NEQ” “3”
  echo “Usage: ap-kal-httptagban \'192.168.249.23 /bancasa/start.swe?SWECmd=Logoff www2.bhd.com.do\'”
  exit script 1
  endbranch
  ! Defines:
  set HostName “${ARGS}[1]”
  set WebPage “${ARGS}[2]”
  set HostTag “${ARGS}[3]”
  ! Connect to the remote Host
  set EXIT_MSG “Connection Failure”
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG “Send: Failed”
  socket send ${SOCKET} “GET ${WebPage} HTTP/1.0\nHost: ${HostTag}\n\n”
  ! Wait for a good status code
  set EXIT_MSG “Waitfor: Failed”
  socket waitfor ${SOCKET} “SWE Internal Error” 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  exit script 0
  Notice this is an SSL back-end service. The web page the user should request is:
  https://www2.bhd.com.do/bancasa/start.swe?SWECmd=Logoff
  If it returs the page with the error, then is down.
  I'm not sure I have all arguments OK or in the correct format. Also,I'm a little confused regarding whta the Hostag should be.
  Can you please verify what I have wrong ?
  Thanks

• Cisco css http keepalive is not working with GET command

  Dear all
  i have Cisco Css connected to Dell Server (via switch)
  Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
  Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
  This server is dedicated to host multiple doamins with Apache lik
  www.abc.co.uk
  www.xyz.co.uk
  Now the clinet wants to setup the http keepalive  with specfic web page like /testpage.html  for all these domains. i have teseed with single URI. it is working the comamnds are
  config)# service serv1
  (config-service[serv1])# ip address 192.168.1.5
  (config-service[serv1])# keepalive type http
  (config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
  (config-service[serv1])# keepalive uri "/testpage.html"
  (config-service[serv1])# active
  It is working with single URI.  but how can i do the same thing for multiple doamins ?
  for multiple doamins do i need use script ? or can i use with commands ?
  if i need to use script the script is
  !no echo
  ! Filename: httptag-test
  ! Parameters: HostName WebPage HostTag
  ! Description:
  !       This script will connect to the remote host and do an HTTP
  !   GET method upon the web page that the user has asked for.
  !   This script also adds a host tag to the GET request.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !       2. Not receiving an HTTP status "200 OK"
  if ${ARGS}[#] "NEQ" "3"
          echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
          exit script 1
  endbranch
  ! Defines:
  set HostName "${ARGS}[1]"
  set WebPage "${ARGS}[2]"
  set HostTag "${ARGS}[3]"
  ! Connect to the remote Host
  set EXIT_MSG "Connection Failure"
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Send the HEAD request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Wait for a good status code
  set EXIT_MSG "Waitfor: Failed"
  socket waitfor ${SOCKET} "200 OK"
  no set EXIT_MSG
  socket disconnect ${SOCKET}sh w
  exit script 0
  in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
  (config-keepalive) method
  I have uploaded in CSS with httptag-test file and applied these commands
  service comp.brit.co.uk-80
    keepalive port 80
    ip address 192.168.1.5
    keepalive frequency 10
  keepalive maxfailure 2
  keepalive retryperiod 10
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.abc.co.uk
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.xyz.co.uk
  but this script is not working
  my question is:
  1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
  2.with out using script is there any solution like CICSCO  CSS commands  to setup http uril for multiple domains which are on 1 singl server.
  please help me asap

  Hello Muhammad,
  If you wish to use multiple domains for a URI  keep-alive check, and perform a HEAD request what Daniel mentioned is  correct.  You have to use a scripted keep-alive check on the service.  However, you should not use the default "ap-kal-httptag" script to do so  as it's limited to only 1 website (unless you modify the script).  You're best bet would be using the "ap-kal-httplist" script on the CSS  as it allows the checking of 2 different websites along with a webpage  to check for each site using HTTP HEAD method.
  !no echo
  ! Filename: ap-kal-httplist
  ! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
  ! Description:
  !    This script will connect a list of sites/webpage pairs.  The
  !   user must simply supply the site, and then the webpage and
  !   we'll attempt to do an HTTP HEAD on that page.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !   2. Not receiving a status code 200 on the HEAD request on any
  !      one site.  If one fails, the script fails.
  ! Make sure the user has a qualified number of arguments
  if ${ARGS}[#] "LT" "2"
          echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
          exit script 1
  endbranch
  while ${ARGS}[#] "GT" "0"
          set Site "${ARGS}[1]"
      var-shift ARGS
      if ${ARGS}[#] "==" "0"
          set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
          exit script 1
      endbranch
      set Page "${ARGS}[1]"
      var-shift ARGS
      no set EXIT_MSG
      function HeadUrl call "${Site} ${Page}"
  endbranch
  exit script 0
  function HeadUrl begin
  ! Connect to the remote Host
  set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
  socket connect host ${ARGS}[1] port 80 tcp 2000
  ! Send the head request
  set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
  socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
  ! Wait for the status code 200 to be given to us
  set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
  socket waitfor ${SOCKET} " 200 " 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  function HeadUrl end
  Rather  then modify the default "ap-kal-httplist" script on the CSS I would  simply define the arguments within the service configuration itself.   Something like the following (using your service example):
  service dell-192.168.1.5
  ip address 192.168.1.5
  keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
  active
  As  long as the server is configured to reply to host headers, and the page  is configured to retuen a "200 OK" the above service configuration  should work. If there are any errors simply run "show service  " to view why there was a failure. If there is a  failure, and the output from the command specified shows a line number  run the following command against the script to view at what point  (line) did the failure occur:
  show script ap-kal-httplist line-numbers
  Hope this helps!
  - Jason Espino

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.

• CSS SSL renewal problem

  While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
  sh ssl associate rsakey | grep url(dont want to mention name)
  i can see the previous as well as the new both key as associated and says yes
  while the new should show yes and old should be no
  same it is showing for cert
  can anyone help me to sort out with this problem what it can be
  Thanks in advance

  Sagar,
  Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
  After that, perform the "clear ssl file " and "clear ssl file rsakey "
  HTH
  Dave

• CSS + SSL - unable to create RSA association

  Hello,
  I am having troubles creating an RSA association on our CSS11506.
  Here are the steps I've tried:
  1.) I take the original "Digital ID Class 3 - VeriSign Server OnSite" certificate provided to us and move to the CSS via FTP. I have used the openssl verify process to make sure it was a good cert.
  CSS-EC1# copy ssl ftp FTPSRV import websrv-gr.pem PEM "thepassword"
  Connecting (/)
  Completed successfully.
  (also at this step - I have tried this with and without a passphrase with the same results)
  OpenSSL verify:
  C:\OpenSSL\bin>openssl verify -verbose -CAfile .\PEM\verisign.pem websrv-gr.pem
  websrv-gr.pem: OK
  2.) I then create a certificate association:
  CSS-EC1(config)# ssl associate cert WWW websrv-gr.pem
  3.) I then attempt to create and RSA association:
  CSS-EC1(config)# ssl associate rsakey WWW-RSA websrv-gr.pem
  %% File does not contain an RSA key
  What can I do to get rid of this error? Does the certificate we recieved from Verisign need to be chained with the Verisign Intermediate certificate?
  Any ideas?
  Thanks in advance...
  Regards,
  Ben

  Hi
  we have a customer with a similar problem,
  CSS11501(config)# ssl associate rsakey vimageprivkey privkeyvimages.pem
  Error: %% File does not contain an RSA key
  The openssl utility has been used to extract the rsakey from the PKCS12 file.
  They have used this method numerous times before without this error.
  RSA key below:-
  Bag Attributes
  localKeyID: 31 31 36 33 30 38 34 35 35 32 32 33 30
  friendlyName: vimages 2006 certificate
  Key Attributes:
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,4B31C6E8188C1E2C
  L2zTgx4mEUBG0465IxpNOfeyoMX8vTXF6TTrClc5BCDqEYa+K8/9yu6ZwQ+GKdV2
  WN0NES4mNMyqB+j2K9ysQi59Zw661MSf/ToTLPgbFlI7xK434ZpMiy6K0VIK8cSW
  Nz8yTSbjarpsrigUYzoJ83p10a6vVXA/dEDGrMn84EQeYWjQdStcHU8DKmgaOMLY
  c3s68BHex2oNOdG4P4Uo4lTG1zmQOyP0aY7KHv0KNVrR/RNSW4j01nAdPZ09YiiZ
  Uu83Kvh/kwkGBhGYAr0vnlqPlsdUarfXams39F/Imp3NQdofXsrVencUjST4zjPK
  1xpptY2RYa4lCEZBF5+Y00QhxaQR8IuLkh0x2niR/Nz+KBHxOJ8hacB/bcIpZKv0
  ikFDiXoGLgRNCRM1qhECyfUk4Gt95J4qKSAsyUNOTjhaz73q+sUPu6eLffwUQ1U2
  g6fNcqAu6z5xJkpPjVtGVt+opERqGrnlCW2R6I1QYio+U21p4Cx+7qfxrGGpZtt+
  p0kYhEH9ZMODh8QhDEDv7qqLASQ5aQMcJSLIXCrV13R+yN/qr8qOUDKA88a9avIg
  cArcSEWSQ91ZxYYIijnqMHNBWs1REM6U/FRuW28yM4JtZTyxB8baZUVczAfOnOja
  yAuJ0UVyshNOZxk5W1OJTjrkqY7+JM0CdnJuYUSqvsQb9L3hiAJ/wHzUQw5pN1J3
  Igoo6eLoBj2QC2Fgz1TwJEohelF3F+BVlEvjWjPHi5D0r2e1+HDNNjpWWZctebp7
  Aw7kguV1bymfiG3stoHkP/VU2MyCznS6vXI/PWh4KgI=
  -----END RSA PRIVATE KEY-----
  Any Ideas ??

• CSS 11150 - "Keepalive type http" doesn't work.

  I've two webservers, A and B, sharing the same webdata on a NetApp filer. A CSS 11150 (5.033) have a content rule, C, with a VIP registred in internet DNS.
  I've added A and B to C. When using default "Keep alive type (ICMP)" on services the site is fully functional. When I disable the site on webserver A, clients attached to this server get errors and are not redirected to the B webserver. This is because the CSS doesn't check the for "Keepalive type http".
  The CSS thinks that A is online because it is answering for ping. This solution is not good so I tried to change the "Keepalive type" to http. This is better when something is wrong with one of the load-balanced webservers, but when activating "Keepalive type http" the CSS marks A and B down and site is offline.
  Is something wrong with my configuration???
  service lbws1.kov
  ip address xx.xx.193.25
  protocol tcp
  port 80
  active
  service lbws2.kov
  ip address xx.xx.193.27
  port 80
  protocol tcp
  active
  owner KOV
  content D
  protocol tcp
  add service lbws1.kov
  add service lbws2.kov
  balance aca
  port 80
  advanced-balance sticky-srcip-dstport
  vip address xx.xx.193.245
  active
  content C
  add service lbws1.kov
  add service lbws2.kov
  protocol tcp
  port 80
  balance aca
  advanced-balance sticky-srcip-dstport
  vip address xx.xx.193.28
  active

  By default the CSS will attempt to read http:///index.html
  It looks like that may not exist. Try to access the index page yourself from each of the services.

• CSS SSL and link modification problem

  Hi all
  We have a problem using our CSS to offload SSL for a site. The offload works for the first connection, but the web application seems to be rewriting relative links as absolute links.
  For example, a user hits the site at https://www.mydomain.com. The CSS is configured to terminate the SSL traffic, and then send HTTP to the internal web server on TCP/81.
  What we're seeing in the client's browser is that all links are being returned as http://www.mydomain.com:81/... instead of https://www.mydomain.com/...
  Any idea of how we can do this without messing around with the web server too much? I.e. is there a way on the CSS to do link translation?
  Thanks

  If the link are indeed hardcoded like this, there is nothing the CSS can do.
  Bad server design.
  If the server is returning a redirect to http://... the CSS can intercept it and rewrite it to https.
  Please verify if there is a redirect.
  Gilles.

• CSS SSL

  I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.
  Thanks!

  As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?
  The group rule will SNAT all client requests to appear as the 192.168.20.4 VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.
  - Jason

• CSS - SSL Certificates

  We have two 11503's each with an SSL module, in a redundant VIP configuration. Can we load the same certificate on both CSS's? Or must we obtain a separate certificate?
  Thanks!

  you can use the same certificate in both CSS.
  Gilles.

• CSS SSL blade

  Hi Gilles
  With respect to the SSL blade on the CSS how can I have it configured for the following.
  I have one web instance 10.1.1.1:2011. It has a certificate on it "cert" and one domain. Now I want it to service 2 more domains using the certificate cert_a and cert_b. Can I do this? How do I go about this?
  Thank you
  Regards
  Soni

  you simply create new ssl_server in your proxylist.
  Something like this :
  ssl-proxy-list MyList
  ssl-server 10 rsakey KEY-A
  ssl-server 10 rsacert CERT-A
  ssl-server 10 vip address x.x.x.xA
  ssl-server 20 rsakey KEY-B
  ssl-server 20 rsacert CERT-B
  ssl-server 20 vip address x.x.x.xB
  You need a new vip address or a new port for each domain. You can't use the same ip:port for different domain because the decryption process starts before we can determine which domain is contained in the HTTP header.
  Gilles.