Forum Discussion
Chris_DiPietro_
Nimbostratus
Nimbostratus2way SSL with Client?
Normally when handling SSL authentication we proxy it to the server, but I have been asked if this can be offloaded to the F5
So the scenario is Client connects to F5 via SSL, We want th...
Kevin_Stewart
Employee
EmployeeThere are a ton of ways to deal with client certificates and all of them more or less depend on your "vetting" capacity.
At a minimum, once you've terminated the SSL, you have access to the entire x509 certificate. Here's a few things you can do:
1. With an iRule you can inspect (and filter on) any attribute in the certificate (ex. subject, issuer, validity dates, algorithms, etc.).
2. You can compare that information using static data (hard coded values, data groups, iFiles), and dynamically (sideband webservices calls, DNS TXT records).
3. You can import a CRL into the clientSSL profile and check certificate revocation.
4. If you have Access Policy Manager (APM) licensed, you can also do OCSP and CRLDP for revocation, and LDAP/AD/RADIUS/TACACS/etc. for authentication.
