Forum Discussion

Winnie_363941's avatar
Winnie_363941
Icon for Nimbostratus rankNimbostratus
Jul 05, 2018

Passthrough Clientcertificate from Client -> F5 -> Back-End-Server

Hello,

 

we've configured a Virtual Server with an attached HTTPS client and HTTPS server profile.

 

We would like to use Client Certificate Authentication between the User (Client) and our Back-End-Server (Node).

 

The problem is, that the SSL connection terminates on the F5 System. So we are not able to pass through the SSL Client Certificate Information to Back-End-Server (Node)

 

Also the validity of the Client-Certificate should be checked on the F5. The CA-Certificate of the Client-Certificate should be placed on the F5 and only these Client-Certificates should be able to call the node. It should be possible to allow more than one ROOT-Certificate.

 

The SSL-Proxy Mode is no option for us, because we can only use weak ciphers when the Mode is active.

 

Is there a way to pass through the SSL Client Certificate to Back-End-Server? Maybe with an iRule?

 

Kind Regards

 

Winnie

 

  • Hello guys,

     

    Have the same problem than Winnie. But indeed we use ASM to protect app on backend server so we need http profile. No way to be transparent on client auth request if we use TLS ?

  • Surgeon's avatar
    Surgeon
    Ret. Employee

    Are you doing any with HTTP data on the big-ip for that VIP? iRule, cache, copression, persistence based on any of HTTP data e.g persistence? If not, then just remove all profiles except TCP and let SSL path through