Forum Discussion
CirrostratusForward Proxy and Client Authentication Certificates
Hi,
we have a requirement wherein clients would want to directly authentication with backend server using client authentication certificate. I want to use forward proxy feature for this, would this feature allow client authentication (or all SSL Handshakes/hellos) to be allowed for the backend server? I dont want to use proxy ssl feature for some reason.
Thanks
2 Replies
- Kevin_Stewart
Employee
ProxySSL would only work for inbound (reverse proxy) traffic, by virtue of the requirement to possess the server's private key.
But to answer your question, it depends on what you mean.
If you're talking about simple explicit forward proxy, where the client's TLS connection is performed between the client and real server, within the TCP tunnel created by the proxy after the CONNECT request, then yes that should work. Transparent forward proxy would also work.
If, however, you're talking about transparent or explicit SSL Forward Proxy, wherein the F5 decrypts and re-encrypts the SSL between the client and server, then vehemently no. The only way to perform mutual PKI (client certificate) authentication is to completely bypass SSL processing at the proxy for this traffic.
- Kevin_Stewart
I have a client that wants to do transparent ssl forward proxy, but also wants to be able to handle mutual authentication (client certificate authentication). Is it possible that this feature may be included in the SSL orchestrator product in the future so traffic doesn't need to be bypassed?
Are you asking if it'll be possible to decrypt and inspect SSL traffic that has to be mutually authenticated?
