For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Zaklina_377109's avatar
Zaklina_377109
Icon for Nimbostratus rankNimbostratus
Nov 16, 2018

Filtering based on client certificate

Hello,   I want to make F5 filter user requests based on client certificate so that requests that do not have certificate are not passed to web server. Also, F5 shouldn't authenticate the user. Ho...
application delivery
ASM Advanced WAF
BIG-IP
jakru_162096's avatar
jakru_162096
Icon for Nimbostratus rankNimbostratus
Nov 16, 2018

Hello,

 

take a look on client ssl profile. You have whole section there called "Client Authentication" where you define parameters used to determine if client with certain certificate should be allowed or not.

 

More details here: https://support.f5.com/csp/article/K14783

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 18, 2018

By "SSL proxy", do you mean "Proxy SSL"? If so, in this function the BIG-IP has no control over the TLS handshake. You can see the TLS handshake, but you'd have to use TCP binary iRules to inspect it.

 

It's probably also worth noting that Proxy SSL, like any other product that does passive SSL inspection, cannot work with perfect forward secret (DHE) ciphers.