I want to implement SSL forward proxy client and server authentication, and I am not sure how certificates are implemented. How can it be done? I mean how do I have to implement client and server certificates in order to proxy/forward SSL traffic to a backend SSL server? I am using a BIG-IP LTM appliance.

I might be mistaken, but it sounds like you need reverse proxy services. Certificates are used by SSL profiles. Jason put together a good read on SSL profiles which you can find here: https://devcentral.f5.com/articles/ssl-profiles-part-1.UyL53YXD-18 What kind of authentication will you need? If you are using client certificate based, then you'll need to look into using proxy SSL: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

I am trying to implement the scenario explained in the article: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html Under BIP-IP LTM version 11.3.0, File Management : SSL Certificate List, I created a certificate named "test.domain.com" which generated a file. I sent the file to our CA management team and they returned 2 files to me (certtest.cer and certtest.p7b). Then I imported it to BIG-IP and bound it to a client SSL profile. Then I had our CA team generated certificate file containing the backend server's certificate and key which I imported to the BIG-IP and bound it to a server SSL profile. I followed the procedure mentioned in the article, but I get an error connecting to site. Using Google Chrome browser, I get more explanation about the error: Error type: Malformed certificate Objet: backendserver.domain.com Issuer: test.domain.com I am wandering how certificates should be implemented in such a scenario. Best regards, Alain

You should be able to use the backend server certificate and key for both your client and server SSL profiles. I would think this would be desired behavior if you want the LTM to behave as if it's the web server, from the end user's perspective. Try changing your SSL client profile to use the same certificate/key pair as the SSL server profile and see if this makes a difference.

I am not sure this make sense as I want to go to https://test.domain.com and there are 2 backend servers that are load balanced as backendserver1.domain.com and backendserver2.domain.com. Each of those servers has its own certificate. How can I assure client communications in this case?

My apologies, I was unaware you had multiple backend servers. Are you certain that the certificate you imported and applied to your client SSL profile is properly formatted? It sounds like the certificate may be the problem in this case.

Certificates implementation in "SSL forward proxy client and server authentication" scenario.

Kevin_Stewart
Employee
Mar 17, 2014
In most cases you don't need to do anything specific with the server SSL profile. This is the client side of the SSL handshake with the server, and will (unless instructed otherwise) blissfully ignore any subject or trust mismatches. So given that you have a generic environment that requires SSL termination on the client side to the F5, and re-encryption to the server, the following is an absolute basic requirement for this to work:

Client SSL profile - at a minimum you need the server certificate and private key that will be presented to the client during the client side SSL handshake. Unless you're also doing client certificate authentication, or mandating different cipher suites, you shouldn't need anything else configured in this profile.

Server SSL profile - in many cases the default serverssl profile is sufficient to re-encrypt the traffic to the back end. The server will present its certificate to the client (server SSL profile) during the SSL handshake, and the client will ignore the certificate mismatch and carry on. If you're running an older IIS or Apache instance, you may not be able to support the newer secure renegotiation capability, so you can either set the Secure Renegotiation option in the server SSL profile to "Request", or simply use the serverssl-insecure-compatible profile.
Alain_Morin_147
Nimbostratus
Mar 17, 2014
How can this be done via CLI? I can not post screen shots.
- Cory_50405
  Noctilucent
  Mar 17, 2014
  From TMSH: list ltm virtual list ltm profile client-ssl
Alain_Morin_147
Nimbostratus
Mar 17, 2014
list ltm virtual VS-TESTVERINT-443 ltm virtual VS-TESTVERINT-443 { destination 172.29.243.27:https ip-protocol tcp mask 255.255.255.255 pool P-TESTVERINT-443 profiles { CSSL-TESTVERINT { context clientside } SSSL-SNVERAPP { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { pool VIP-TESTVERINT type snat } vlans-disabled }

list ltm profile client-ssl CSSL-TESTVERINT ltm profile client-ssl CSSL-TESTVERINT { app-service none cert-extension-includes none cert-lifespan 30 defaults-from clientssl proxy-ca-cert VERINT.EXT.VIDEOTRON.COM.crt proxy-ca-key VERINT.EXT.VIDEOTRON.COM.key proxy-ca-passphrase $M$q7$IQDtaQ4oZ2BXvIAqz5s2Bg== ssl-forward-proxy enabled }

list ltm profile server-ssl SSSL-SNVERAPP ltm profile server-ssl SSSL-SNVERAPP { alert-timeout 10 app-service none cache-size 262144 cache-timeout 3600 cert SNVERAPP3.EXT.VIDEOTRON.COM.crt chain none ciphers DEFAULT defaults-from serverssl handshake-timeout 10 key SNVERAPP3.EXT.VIDEOTRON.COM.key mod-ssl-methods disabled options { dont-insert-empty-fragments } passphrase $M$mF$IT/oLKnaCjrDzrPuNam/KA== proxy-ssl disabled renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require-strict server-name none session-ticket disabled sni-default false sni-require false ssl-forward-proxy enabled strict-resume disabled unclean-shutdown enabled }
Kevin_K_51432
Historic F5 Account
Mar 17, 2014
Hi Alain, I would try the steps in the 11.5.0 manual. There is an error in the 11.3.0 manual that has been corrected. This step isn't necessary and has been removed:

Important: The certificate and key that you specify in this profile must match the certificate/key pair that you expect the back-end server to offer. If the back-end server has two or more certificates to offer, you must create a separate Server SSL forward proxy profile for each certificate, and then assign all of the Server SSL forward proxy profiles to a single virtual server.

This was some confusion here with another SSL Proxy feature. Essentially, you should only need the CA key and certificate to sign the newly created (on the fly) certificates.

Corrected guide:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-0/16.html?sr=35921646

Hope this helps, Kevin
Cory_50405
Noctilucent
Mar 17, 2014
It sounds like you are doing reverse proxy, not forward proxy.

For your client SSL profile, you should only need to specify your certificate and key. Can you modify your client SSL profile to remove all other configurations than the certificate and key, and then retest?

If you are doing any kind of client certificate based authentication, then other options will need to be specified.
Alain_Morin_147
Nimbostratus
Mar 17, 2014
In real, the client hits the URL https://verint.ext.videotron.com and what I need to to be able decrypt end re-encrypt traffic from F5 to a load balanced pool of 2 servers using SSL. Those 2 backend servers are called snverapp1.ext.videotron.com and snverapp3.ext.videotron.com. The applications on those servers requires that conversations are encrypted via SSL.
Cory_50405
Noctilucent
Mar 17, 2014
Yes, this is definitely a reverse proxy scenario then. Change your client SSL profile to only specify the certificate and key, and then retest connectivity.
Alain_Morin_147
Nimbostratus
Mar 18, 2014
I followed the 11.5.0 procedure but I still have the same error. Here is my current config like posted before:

list ltm virtual VS-TESTVERINT ltm virtual VS-TESTVERINT { destination 172.29.243.27:http ip-protocol tcp mask 255.255.255.255 pool P-TESTVERINT profiles { CSSL-TESTVERINT { context clientside } SSSL-SNVERAPP { context serverside } http { } tcp { } } source 0.0.0.0/0 source-address-translation { pool VIP-TESTVERINT type snat } vlans-disabled }

list ltm profile client-ssl CSSL-TESTVERINT ltm profile client-ssl CSSL-TESTVERINT { app-service none cert-extension-includes none cert-lifespan 30 defaults-from clientssl proxy-ca-cert TESTVERINT.EXT.VIDEOTRON.COM.crt proxy-ca-key TESTVERINT.EXT.VIDEOTRON.COM.key proxy-ca-passphrase $M$Oy$plRYv/NIjd7CVO5FRnJGxA== ssl-forward-proxy enabled }

list ltm profile server-ssl SSSL-SNVERAPP ltm profile server-ssl SSSL-SNVERAPP { app-service none cert default.crt defaults-from serverssl key default.key ssl-forward-proxy enabled }
Cory_50405
Noctilucent
Mar 18, 2014
You are specifying forward proxy in your client SSL profile. For reverse proxy, it should look something like this:

ltm profile client-ssl CSSL-TESTVERINT { app-service none cert TESTVERINT.EXT.VIDEOTRON.COM.crt chain none defaults-from clientssl key TESTVERINT.EXT.VIDEOTRON.COM.key }
- Cory_50405
  Noctilucent
  Mar 18, 2014
  In addition, use 'serverssl' as your server SSL profile.
Alain_Morin_147
Nimbostratus
Mar 18, 2014
I thought the the SSL forward proxy implementation was the procedure I should use to have client (SSL) --> BIG-IP (SSL) --> backendserver (SSL) communication. At least, this is what the procedure https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-0/16.html?sr=35921646 is talking about. Please correct me if I'm wrong.