Forum Discussion
Nimbostratus2way SSL with Client?
Normally when handling SSL authentication we proxy it to the server, but I have been asked if this can be offloaded to the F5
So the scenario is Client connects to F5 via SSL, We want the F5 to require the client provide a cert and then not only check that the cert is valid, but also Authenticate that the client is Authorized to connect.
In the server world both the client and server share keys so they know who each other is, but can this be done on an F5? I only see how I can make the client provide a cert and verify it is a valid SSL certificate, but I do not see a way to validate that it is the client I wish to allow.
Can this be done? Is there some sort of iRUle or other module I need to load to make this work?
Thanks
Chris
1 Reply
- Kevin_Stewart
Employee
There are a ton of ways to deal with client certificates and all of them more or less depend on your "vetting" capacity.
At a minimum, once you've terminated the SSL, you have access to the entire x509 certificate. Here's a few things you can do:
1. With an iRule you can inspect (and filter on) any attribute in the certificate (ex. subject, issuer, validity dates, algorithms, etc.).
2. You can compare that information using static data (hard coded values, data groups, iFiles), and dynamically (sideband webservices calls, DNS TXT records).
3. You can import a CRL into the clientSSL profile and check certificate revocation.
4. If you have Access Policy Manager (APM) licensed, you can also do OCSP and CRLDP for revocation, and LDAP/AD/RADIUS/TACACS/etc. for authentication.
