For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VladTC_372671's avatar
VladTC_372671
Icon for Nimbostratus rankNimbostratus
Oct 10, 2018

Check SSL certificate before forwarding to backend

Hello,   I have an application that verifies a client certificate from the request. This application is hosted into IIS server. The client makes the request throw a BigIp F5 proxy. I have made an ...
BIG-IP
client ssl profile
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 10, 2018

So what you're doing right now is forwarding a statically-defined client certificate to the IIS server from the server SSL profile. You're not, and cannot, send the real client certificate (the one sent by the client) to the server. If this is you're intention, then the easiest solution is to simply switch the server SSL profile based on some attribute of the client side connection. Attach a server SSL profile to the VIP that does not send a client cert, then attach something like this to the VIP:

when CLIENTSSL_CLIENTCERT {
     triggered when a client certificate is received
    SSL::profile [your cert-injecting server SSL profile]
}

If, however, it's your intention to send a different client certificate to the server for each request, then you're best option is to use a 13.1 feature called "Client Certificate Constrained Delegation", which effectively forges a client certificate to internal servers.