Forum Discussion
Feb 09, 2024
Hi,
Yes it will.
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.html
Does explain the setup.
Cheers,
Kees
- awan_mFeb 11, 2024Cirrostratus
Thanks - i will test it out and update this .
- Kevin_StewartFeb 13, 2024Employee
To be clear, there are generally two options for allowing mutual TLS to pass through the BIG-IP, with client/server SSL profiles applied:
- ProxySSL - as described above. But note, ProxySSL can only work with non-perfect-forward-secret handshakes. That means it only works with RSA handshakes, and never with ECC, DHE, ECDHE, ECDH, etc. And since RSA handshakes have been mostly deprecated by all modern browsers, this option isn't terribly useful unless you control the browsers and are willing to force significantly weaker encryption.
- Client Cert Constrained Delegation (C3D) - https://my.f5.com/manage/s/article/K14065425. This is the modern way to handle the requested scenario, and works with TLS1.3 and below with modern ciphers.
- awan_mFeb 14, 2024Cirrostratus
C3D method would require provisioning / licensing of ssl Orchestrator - which i do not have licensed on my F5