For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 01, 2016

how on the server-side-ssl, we can make the certificate based authentication.

 

In short, you cannot. I won't dive too much into the technical details here other than to say that in order for an entity to authenticate with a client certificate, it must have possession of the private key (used to digitally sign one of the messages in this "mutual PKI" sequence). The client digitally signs information going to the F5, so that works. But the F5 wouldn't have access to the client's private key, so there'd be no way for it to perform client certificate authentication to the server on the client's behalf.

 

You have a few options here:

 

  1. Don't process SSL on the F5 - the crudest and simplest option that effectively turns your BIG-IP into a blind layer 4 load balancer.

     

  2. Enable ProxySSL - an option that provides an SSL "man-in-the-middle" functionality, but requires 1) the F5 to have a copy of the server's private key, and 2) that you ONLY perform non-ephemeral (non-perfect forward secret) RSA key echanges during the SSL handshake. This is still an option, but clients and servers are starting to deprecate the use of RSA for key exchange.

     

  3. Perform some other kind of authentication on the server side - this is exactly the sort of thing APM is great at. Take information from the client side certificate exchange and roll it into some other authentication scheme, like Kerberos.