Forum Discussion
NimbostratusBig IP proxy ssl feature question
Hi guys,
i´ve a question to the proxy ssl feature.
I had a virtual server, with a client and a server certificate. Both have the proxy ssl feature enable. Think it works fine. I´ll could authenticate against the backend server with a client certificate.
But the problem is the following.
From the client side I use the url https://test.domain.de with a corresponding official certificate .
In the backend, I must use a different certificate with the CN name from the backend server ().
Now, while the client requests the url https://test.domain.de, he gets an certificate error, because the certificate is from the backend server. So there is no matching between the url https://test.domain.de and the certificate from the backend server.
Is this normal, that the client gets the certificate from the backend server, while proxy ssl is enable? Or is there some configuration mistake?
Thanks for your help.
natheCirrocumulus
ic3man1986, the certificates need to be imported from the backend server and imported onto the bigip, check the following articles: Overview of the Proxy SSL feature and Error Message: 01260015:3: Certificate supplied by server was not configured on virtual
Hope this helps,
N
dragonflymrCirrostratus
Hi,
Be aware that Proxy SSL makes not much sense those days. Most of the ciphers used (especially DH) are breaking this functionality - BIG-IP is not able to decrypt traffic.
Except some very special requirements when you have to ensure that BIG-IP is able to decrypt there is no point in using Proxy SSL, just let SSL traffic to go through BIG-IP encrypted.
If you have to let BIG-IP decrypt traffic then you have to assure that your backend server will accept only ciphers that allow decryption on BIG-IP = rather ancient and not very safe ciphers.
Piotr