Forum Discussion

Ian_Johnson_382's avatar
Ian_Johnson_382
Icon for Nimbostratus rankNimbostratus
Apr 04, 2011

Client Certificate authenication for a tcp connection

Hi All,

 

 

Is it possible to use Client Certificates to authentication a connection to a non HTTP/HTTPS application.

 

 

The ideal solution is that the user would run the client software which makes a TCP connection to 5000, the LTM would ask the client for authentication using via Client SSL certificate (Either using iRule or Client SSL profile, not sure which one as yet). The LTM will validate the SSL certificate and then let the client software connect to the server.

 

 

Anyone ever done anything like this?

 

 

Thanks

 

Ian
config
design

3 Replies

Sort By
  • Austin_Geraci_3's avatar
    Austin_Geraci_3
    Icon for Cirrus rankCirrus
    Apr 04, 2011
    Sure man, it's one of the things the LTMs are great for, SSL offloading.. You can listen on any port you want for HTTPS, and forward to any port as well for the HTTP side.. You would need a client SSL profile and the certificate/key.

     

     

    Just remember to use an HTTP monitor for your pool member(s) as an HTTPS monitor will fail with the member(s) listening on HTTP..

     

     

     

    Go through this article for some very detailed info on Client SSL Profiles..

     

     

    sol10167:Overview of the Client SSL profile

     

     

    http://support.f5.com/kb/en-us/solu...r=13674610
  • Ian_Johnson_382's avatar
    Ian_Johnson_382
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2011

    Hi,

     

     

    I am not trying to offload any SSL traffic and the backend are not HTTP servers.

     

     

    I want to use the LTM to perform the authenication using client certificates. So the client application would first make a connection to do the authentication, then the client application will connect to the backend application over port 5000. This will open a tcp connection and backend server will start sending streaming data to the client.

     

     

    Ian

     

  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2011
    I believe that the Client SSL profile with client certificate authentication works just fine with "stunnel" (http://www.stunnel.com/) type on-demand SSL built to tunnel TCP. It's hard to say without knowing a bit more about the application running over it (both client and server) whether it'll be a good user experience or not -- but it's certainly possible.