Certificates implementation in "SSL forward proxy client and server authentication" scenario.

Attaching to the topic, what if i have requirement to make client auth on the server side ? How to proceed with this correctly ?

Do you mean pass the client certificate to the server? If so, you have two options:

1. Don't offload SSL - simply pass the SSL layer data through the proxy. You cannot see any of the layer 7 traffic, so there's a lot of really cool capabilities that you'll lose by doing this, but it's an option nonetheless.

    

2. ProxySSL - this is an SSL man-in-the-middle function that allows a BIG-IP to "see" decrypted payload between a client and server, without technically being part of any SSL handshakes. There is some complexity to this approach, and frankly it doesn't work in every environment and for every set of ciphers, but when it does work, you can see and affect the layer 7 payload.

    

Simply put, when a client and server engage in mutual SSL authentication, the client will first digitally sign its certificate before sending it to the server. A digital signature is basically a hash of some piece of data that is then encrypted with the sender's private key. The recipient generates a new hash of the sent data, decrypts the digital signature with the sender's public key (in the certificate) and then compares the two values. If they are the same, then the recipient knows that 1) the sender is who they say they are by virtue of private key possession, and 2) the data has not been altered in transit. The certificate itself is also used to verify cryptographic "trust" between the client (or server) and a common trusted "anchor". It is for this reason that you cannot terminate SSL at the proxy and get the client's certificate to the server - because 1) terminating the SSL would destroy the digital signature, 2) and only the client would have a copy of the private key needed to generate a new one.