Middleware

Client side (client to F5) and server side (F5 to server) are separate profiles attached to the virtual server, and work independently of one another. You can decrypt SSL on the client side and not re-encrypt to the server, not encrypt on the client and encrypt on the server side, decrypt and re-encrypt, and not decrypt or re-encrypt at all (SSL bridging mode). You can also do SSL "man-in-the-middle" with version 11.x. The profiles also allow you some pretty dynamic control over the SSL. On the client side for example, you can set a standard server certificate to handle one host, a wildcard or SAN (subject alt name) cert that be used will all or some hostnames, or you can even do SNI (server name indicator), a TLS extension that allows you to apply multiple single host client SSL profiles to a VIP that will be used based on the client's request.

 

 

Each of these options are fairly easy to configure via management GUI, console shell, or remote API. You could very simply apply a wildcard cert to a client SSL profile and not have to worry about future modifications, or if that is too expensive an option, you can do SNI and dynamically and programmatically import server certificates, create single host SSL profiles, and then assign them to the VIP(s) to do SNI.