For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Feb 09, 2024

Client Authentication with Proxy SSL

Hello - i have the following setup  Virtual server on the F5 without Client SSL or server ssl profiles - which passes web traffic to the backend iis server. the IIS server is configured to require ...
application delivery
awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Feb 11, 2024

Thanks - i will test it out and update this .

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 13, 2024

    To be clear, there are generally two options for allowing mutual TLS to pass through the BIG-IP, with client/server SSL profiles applied:

    • ProxySSL - as described above. But note, ProxySSL can only work with non-perfect-forward-secret handshakes. That means it only works with RSA handshakes, and never with ECC, DHE, ECDHE, ECDH, etc. And since RSA handshakes have been mostly deprecated by all modern browsers, this option isn't terribly useful unless you control the browsers and are willing to force significantly weaker encryption.
    • Client Cert Constrained Delegation (C3D) - https://my.f5.com/manage/s/article/K14065425. This is the modern way to handle the requested scenario, and works with TLS1.3 and below with modern ciphers. 
    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus
      Feb 14, 2024

      C3D method would require provisioning / licensing of ssl Orchestrator - which i do not have licensed on my F5

      • Kevin_Stewart's avatar
        Kevin_Stewart
        Icon for Employee rankEmployee
        Feb 14, 2024

        Definitely not. C3D is a function of LTM.

        SSLO is not needed to use C3D.