Forum Discussion
NimbostratusAdding APM to an application with existing X.509 client authentication
Hi All,
I have the following challenge. A client has an existing application using X.509 SSL client authentication. Currently there is no LTM/APM involved.
The client would like to add LTM/APM while preserving the application server's visibility of the client certificate. Is there any way to proxy the SSL through the F5 to provide LTM/APM protocol visibility, while still preserving the client certificate through to the back end server?
My gut says that this is not feasible. The F5 does not have the private key for the client certificate, so there is no way that it could terminate and start a new SSL session using the client certificate..afterall that is the point of SSL. However, I just wanted to make sure I am not missing any possibility.
thanks, -Brian
1 Reply
- Kevin_Stewart
Employee
Your gut is correct. There is indeed an SSL man-in-the-middle capability called "ProxySSL", but a) it requires a copy of the server's private key, and b) does not generally work with APM. ProxySSL silently listens to the client-server SSL handshake, decrypts the premaster secret sent by the client and encrypted with the server's public key, and then derives the same session encryption key. It uses this key to then silently decrypt and re-encrypt the bulk encryption after the SSL handshake. One of the biggest implications of this process is that you cannot interrupt the client-server handshake dialog. You can't load balance to different pool members, and you can't insert any preemptive actions, like APM message boxes or logon pages. You could technically run APM in clientless-mode, which disables the initial redirect and preemptive controls, but then you'd also mostly negate APM's functionality.
