For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

IK13_38276's avatar
IK13_38276
Icon for Nimbostratus rankNimbostratus
Jun 18, 2010

Handling Client Certificates

Hi guys,     Please excuse me if I'm posting to the wrong forum, and I'd appreciate if you point me in the right direction.     We want to employ client certificates in addition to our a...
config
design
Michael_Yates's avatar
Michael_Yates
Icon for Nimbostratus rankNimbostratus
Jun 18, 2010
You have the options correct on what the BigIP LTM can provide.

 

 

However, the SSL Off-Load (Client->SSL->Big-IP->SSL->Application Server) is for the most part transparent to the client and the application. It also gives you the opportunity to do traffic inspections, modifications, and more granular traffic management.

 

 

Either way, since SSL is terminated at Big-IP, there's no way for the real client certificate to travel all the way to the application server, unless it is injected by an iRule as a custom HTTP header. Which means that the application has to be aware (by a config option for example) and act differently, based upon whether or not there's Big-IP in the middle.

 

Am I correct so far?

 

 

The client doesn't have an SSL Certificate. The Client has an "expectation" to be talking to a specific website, which is why you get an error if the presented SSL Certificate does not match the actual website.

 

 

 

Another question - let's say we have 2.2 Client->SSL->Big-IP->SSL->Application Server

 

Does Big-IP provide an option to map the certificate coming from a client to another (client) certificate the Big-IP is to use (when acting as a client) to establish SSL connection to the application server?

 

 

The option that you are looking for is not necessary. In this scenario: Client->SSL->Big-IP->SSL->Application Server

 

 

Client – attempts to access https://www.website.com

 

BigIP – presents CA Signed SSL Certificate for www.website.com

 

 

Client validates that this is a CA (Certificate Authority – Verisign, Entrust, etc…) Signed Certificate. If yes, then trust is established.

 

 

BigIP can now run any iRules against the traffic.

 

 

BigIP – selects application server (through whatever Load Balancing method is configured on the Virtual Server) and contacts the server in the exact same way the Client contacted the BigIP (because the BigIP is the Client to the Application Server). Biggest difference here is that the BigIP can be configured to validate the SSL Certificate or ignore the validation and just accept it (see Local Traffic -> Profiles -> SSL -> Server and select a serverssl profile under the “Server Authentication settings).

 

Application Server – treats the BigIP as the client and response normally.

 

 

Other than the SSL-Offload none of the payload from the client is altered (unless you do it with an iRule).

 

 

Hope this helps.