Forum Discussion

Cirrus

Nov 25, 2022

C3D and header insert

Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module. Since the customers backend requires a user certificate I explained to the user the...

Kevin_Stewart
Nov 28, 2022
If I may add,

Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.

Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.

Amine_Kadimi

MVP

Nov 25, 2022

This is a typical scenario where I would use the proxy ssl feature of client and server ssl profiles.

From the KB: "The Proxy SSL feature enables the BIG-IP system to optimize SSL traffic between the client and the destination server, without terminating the SSL connection on the BIG-IP system"

ASM inspection and other L7 features are supported.

Check https://support.f5.com/csp/article/K13385

sgnormo
Cirrus
Nov 26, 2022
If i reading the KB correctly the backend server will perform the client authentication, but in my environment the F5 must handle the user authentication and the F5 will pass the user certificate to the node.
Not a bad option, just that it allows direct communications between the client and backend server.
- Amine_Kadimi
  MVP
  Nov 26, 2022
  My bad, I misunderstood the customer requirement. If I understand correctly, they want the exact certificate presented by the client to be presented by F5 as part of the ssl handshake process with the server. For me, this seems to break the whole ssl security process, and if technically permitted it would clearly make mitm attacks easier as any inline equipment can terminate the ssl communication and start a new one server side with the original certificate impersonating the client.
  
  As for c3d, it's a feature that helps reusing the fields from the client certificate to forge a new client certificate and send it to backend servers.
  
  Your customer should understand the security concerns with such a requirement.
  
  Just my two cents. I hope DC experts can give you a better solution.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

C3D and header insert

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Security Headers Insertion

iRule Header Insert

C3D forged certificate

iRule header insert

Insert Basic Auth Header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS