For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2015

Ah, so what I believe you're doing is what's called PKI "mutual authentication" - essentially an SSL handshake that includes server AND client certificates. You're prompting the user on the client side of the F5 for a certificate, and the server also requires a client certificate on the server side of the F5. The server cert and key that you have in the server SSL profile is what the server is getting.

 

In short, as long as you're terminating the client side SSL at the proxy, it is not possible to get that client certificate to the server side. Basically, when a client sends its certificate, it also sends a piece of data that is digitally signed with its private key. And so even if you had the client's cert at the proxy, the proxy couldn't send it in the server side SSL because it doesn't have the client's private key.

 

Another potentially simpler option is to simply send information in HTTP headers from the proxy. You can (and should) still encrypt the server side communications, but modify the server to look in HTTP headers for information, which could very easily contain the user's certificate CN values.