Forum Discussion

Michaelyang's avatar
Michaelyang
Icon for Cirrostratus rankCirrostratus
Nov 16, 2022

Client vs Server SSL profile

Hello,

Here's my structure
client side - [client ssl profile ] - big-ip - [server ssl profile ] - server side 
If the server has its own certificate and key, do the F5 client SSL profile and server SSL profile have to set the server's certificate and key for secure web browsing?

Any help is appreciated.

 

 

  • Hi Michaelyang
      As Amine_Kadimi , its mandatory to implement client and server side ssl profile. 

    > Regarding Client side :

    -  you must install a valid signed certificate from CA and its relevant key.

    -  In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) " 

    -  then , assign this profile to your virtual server.
    -  that’s For ssl termination and Traffic Decryption on F5. 
     
    >regarding Servers side : 
    -  F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl"  , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
    -  So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well. 

    - Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers. 

    Regards.

  • Yes, you have to, because you are configuring decryption and reencryption on F5. Remember F5 is a full proxy and connections are cut into two connections one client side and one server side, and in terms of security the client negociates SSL with its server which is F5 therefore you have to configure the certificate to be presented to the user and its associated key on F5.

    Also note, that the validation of the certificate/key configured on the server is not performed by F5, in other words F5 willby default accept any (e.g. self-signed) certificate presented by the server

  • Hi Michaelyang
      As Amine_Kadimi , its mandatory to implement client and server side ssl profile. 

    > Regarding Client side :

    -  you must install a valid signed certificate from CA and its relevant key.

    -  In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) " 

    -  then , assign this profile to your virtual server.
    -  that’s For ssl termination and Traffic Decryption on F5. 
     
    >regarding Servers side : 
    -  F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl"  , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
    -  So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well. 

    - Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers. 

    Regards.