Forum Discussion
awan_m
Feb 09, 2024Cirrostratus
Client Authentication with Proxy SSL
Hello - i have the following setup Virtual server on the F5 without Client SSL or server ssl profiles - which passes web traffic to the backend iis server. the IIS server is configured to require ...
Hi,
Yes it will.
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.html
Does explain the setup.
Cheers,
Kees
awan_m
Feb 11, 2024Cirrostratus
Thanks - i will test it out and update this .
- Kevin_StewartFeb 13, 2024Employee
To be clear, there are generally two options for allowing mutual TLS to pass through the BIG-IP, with client/server SSL profiles applied:
- ProxySSL - as described above. But note, ProxySSL can only work with non-perfect-forward-secret handshakes. That means it only works with RSA handshakes, and never with ECC, DHE, ECDHE, ECDH, etc. And since RSA handshakes have been mostly deprecated by all modern browsers, this option isn't terribly useful unless you control the browsers and are willing to force significantly weaker encryption.
- Client Cert Constrained Delegation (C3D) - https://my.f5.com/manage/s/article/K14065425. This is the modern way to handle the requested scenario, and works with TLS1.3 and below with modern ciphers.
- awan_mFeb 14, 2024Cirrostratus
C3D method would require provisioning / licensing of ssl Orchestrator - which i do not have licensed on my F5
- Kevin_StewartFeb 14, 2024Employee
Definitely not. C3D is a function of LTM.
SSLO is not needed to use C3D.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects