Forum Discussion
Hello,
take a look on client ssl profile. You have whole section there called "Client Authentication" where you define parameters used to determine if client with certain certificate should be allowed or not.
More details here: https://support.f5.com/csp/article/K14783
- Zaklina_377109Nov 18, 2018Nimbostratus
If I use SSL proxy function and certificate doesnt match or I receive connections without certificate, who will drop request, BIGIP or server? I need BIGIP drop that connections. Maybe there is some other options so that BIGIP can drop such request?
- Kevin_StewartNov 18, 2018Employee
By "SSL proxy", do you mean "Proxy SSL"? If so, in this function the BIG-IP has no control over the TLS handshake. You can see the TLS handshake, but you'd have to use TCP binary iRules to inspect it.
It's probably also worth noting that Proxy SSL, like any other product that does passive SSL inspection, cannot work with perfect forward secret (DHE) ciphers.
- jakru_162096Nov 19, 2018Nimbostratus
Zaklina,
if you need bigip to drop the request you need to actually have that proxy ssl function disabled (this is default). That way your f5 tries to negotiate ssl handshake and if the client does not provide proper certificate it will fail.