For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 10, 2016

https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html This is exactly what i am trying to configure and its possible.

 

Yes, it's possible, but keep in mind that ProxySSL, and really ANY SSL man-in-the-middle (MITM) technology (some call it "passive SSL", or "bump-in-the-wire SSL") suffers from the same two very important requirements:

 

  1. Knowledge of the server's private key - it's probably also worth noting that this requirement alone makes it only useful for inbound (reverse proxy) traffic. You would never have the private key of servers on the Internet.

     

  2. A non-ephemeral RSA-based key exchange (handshake) - you can pretty much throw perfect forward secrecy and any Diffie-Hellman key agreements out the window. They won't work with an SSL man-in-the-middle technique. Aside from being non-perfect forward secret, the RSA key exchange is quickly being deprecated in the industry and there's word that the upcoming TLSv1.3 won't include RSA key exchange at all. Ultimately SSL MITM (ProxySSL and others) requires that the client and server handshake directly, so if they don't handshake with RSA, and you can't make them handshake with RSA (because neither offer or support RSA), then your MITM product won't work. You have a little time left, but that window is closing.