Forum Discussion
Client vs Server SSL profile
- Nov 16, 2022
Hi Michaelyang ,
As Amine_Kadimi , its mandatory to implement client and server side ssl profile.
> Regarding Client side :- you must install a valid signed certificate from CA and its relevant key.
- In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) "
- then , assign this profile to your virtual server.
- that’s For ssl termination and Traffic Decryption on F5.
>regarding Servers side :
- F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl" , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
- So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well.- Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers.
Regards.
Yes, you have to, because you are configuring decryption and reencryption on F5. Remember F5 is a full proxy and connections are cut into two connections one client side and one server side, and in terms of security the client negociates SSL with its server which is F5 therefore you have to configure the certificate to be presented to the user and its associated key on F5.
Also note, that the validation of the certificate/key configured on the server is not performed by F5, in other words F5 willby default accept any (e.g. self-signed) certificate presented by the server
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com