Forum Discussion
NimbostratusiRules for SSL certificates
NimbostratusHi Simon,
Thank you very much for the reply. We will try this solution and see how it works. One thing bothers me though: if we want to use end to end encryption from client to backend server (client -> F5, F5 -> web server), we were suggested to use Certificate Constrained Delegation. In that case we have to enable C3D in both SSL profiles: client and server. Do you know where to specify that in iRule, and what would be the syntax?
Thanks again.
EmployeeI guess SSL::c3d might be a start.
Otherwise, you might need to change both the client and server-side SSL certificates to ones configured for using C3D, and then renegotiate SSL on both the client and server side.
Just by way of explanation, C3D allows the details in a client auth certificate to be passed to the server-side SSL negotiation, by creating (forging) a new and valid server-side client authentication certificate based on the server certificate for the server-side TLS negotiation. This is only necessary when the pool member SSL stack needs to see those specific client auth certificate details (for authentication/auditing purposes). If you can get away with a single shared server-side client auth certificate, it's usually an easier option.
I haven't played much with C3D, so it's a bit of a speculative approach, but it's where I would start.
