Forum Discussion
Ian_Johnson_382
Nimbostratus
NimbostratusClient Certificate authenication for a tcp connection
Hi All,authentication a connection to a non HTTP/HTTPS application. solution is that the user would run the client software which makes a TCP connection to 5000, the LTM would ask the client for authentication using via Client SSL certificate (Either using iRule or Client SSL profile, not sure which one as yet). The LTM will validate the SSL certificate and then let the client software connect to the server.
Is it possible to use Client Certificates to
The ideal
Anyone ever done anything like this?
Thanks
Ian
3 Replies
Austin_Geraci_3Cirrus
Sure man, it's one of the things the LTMs are great for, SSL offloading.. You can listen on any port you want for HTTPS, and forward to any port as well for the HTTP side.. You would need a client SSL profile and the certificate/key.
Just remember to use an HTTP monitor for your pool member(s) as an HTTPS monitor will fail with the member(s) listening on HTTP..
Go through this article for some very detailed info on Client SSL Profiles..sol10167:Overview of the Client SSL profile
http://support.f5.com/kb/en-us/solu...r=13674610
Ian_Johnson_382Hi,
I am not trying to offload any SSL traffic and the backend are not HTTP servers.
I want to use the LTM to perform the authenication using client certificates. So the client application would first make a connection to do the authentication, then the client application will connect to the backend application over port 5000. This will open a tcp connection and backend server will start sending streaming data to the client.
Ian
Joel_MosesI believe that the Client SSL profile with client certificate authentication works just fine with "stunnel" (http://www.stunnel.com/) type on-demand SSL built to tunnel TCP. It's hard to say without knowing a bit more about the application running over it (both client and server) whether it'll be a good user experience or not -- but it's certainly possible.
