Forum Discussion
sgnormo
Cirrus
CirrusC3D and header insert
Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module. Since the customers backend requires a user certificate I explained to the user the...
If I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.
sgnormoCirrus
CirrusIf i reading the KB correctly the backend server will perform the client authentication, but in my environment the F5 must handle the user authentication and the F5 will pass the user certificate to the node.
Not a bad option, just that it allows direct communications between the client and backend server.
Amine_Kadimi
MVP
MVPMy bad, I misunderstood the customer requirement. If I understand correctly, they want the exact certificate presented by the client to be presented by F5 as part of the ssl handshake process with the server. For me, this seems to break the whole ssl security process, and if technically permitted it would clearly make mitm attacks easier as any inline equipment can terminate the ssl communication and start a new one server side with the original certificate impersonating the client.
As for c3d, it's a feature that helps reusing the fields from the client certificate to forge a new client certificate and send it to backend servers.
Your customer should understand the security concerns with such a requirement.
Just my two cents. I hope DC experts can give you a better solution.