Forum Discussion
C3D and header insert
- Nov 28, 2022
If I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.
This is a typical scenario where I would use the proxy ssl feature of client and server ssl profiles.
From the KB: "The Proxy SSL feature enables the BIG-IP system to optimize SSL traffic between the client and the destination server, without terminating the SSL connection on the BIG-IP system"
ASM inspection and other L7 features are supported.
- sgnormoNov 26, 2022Cirrus
If i reading the KB correctly the backend server will perform the client authentication, but in my environment the F5 must handle the user authentication and the F5 will pass the user certificate to the node.
Not a bad option, just that it allows direct communications between the client and backend server.
- Amine_KadimiNov 26, 2022MVP
My bad, I misunderstood the customer requirement. If I understand correctly, they want the exact certificate presented by the client to be presented by F5 as part of the ssl handshake process with the server. For me, this seems to break the whole ssl security process, and if technically permitted it would clearly make mitm attacks easier as any inline equipment can terminate the ssl communication and start a new one server side with the original certificate impersonating the client.
As for c3d, it's a feature that helps reusing the fields from the client certificate to forge a new client certificate and send it to backend servers.
Your customer should understand the security concerns with such a requirement.
Just my two cents. I hope DC experts can give you a better solution.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com