Forum Discussion
CirrusC3D and header insert
MVPThis is a typical scenario where I would use the proxy ssl feature of client and server ssl profiles.
From the KB: "The Proxy SSL feature enables the BIG-IP system to optimize SSL traffic between the client and the destination server, without terminating the SSL connection on the BIG-IP system"
ASM inspection and other L7 features are supported.
sgnormoIf i reading the KB correctly the backend server will perform the client authentication, but in my environment the F5 must handle the user authentication and the F5 will pass the user certificate to the node.
Not a bad option, just that it allows direct communications between the client and backend server.
- Amine_Kadimi
My bad, I misunderstood the customer requirement. If I understand correctly, they want the exact certificate presented by the client to be presented by F5 as part of the ssl handshake process with the server. For me, this seems to break the whole ssl security process, and if technically permitted it would clearly make mitm attacks easier as any inline equipment can terminate the ssl communication and start a new one server side with the original certificate impersonating the client.
As for c3d, it's a feature that helps reusing the fields from the client certificate to forge a new client certificate and send it to backend servers.
Your customer should understand the security concerns with such a requirement.
Just my two cents. I hope DC experts can give you a better solution.
