For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

spurushothaman_'s avatar
spurushothaman_
Icon for Nimbostratus rankNimbostratus
Dec 04, 2015

Client Certificate is not passing through back end hosts

I have SSL terminated at F5, we have client certificate for client authentication coming via application request. The client certificate is not passed through the back end systems hence it is reject...
BIG-IP
devops
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 05, 2015

So just to clarify, your fastL4 isn't doing any SSL, so you're just passing SSL directly between the client and backend server, and of course client cert auth should work. Are you load balancing between multiple backend servers, and if so how are you maintaining persistence?

 

You simply CANNOT pass the client's certificate to the backend server if you terminate the SSL at the proxy, for the reasons I described before. ProxySSL can work in this regard, but you must force the client and backend server to only negotiate with non-PFS RSA, which is becoming harder to do as user-agents are starting to completely deprioritize (and ultimately remove) non-PFS ciphers.