Forum Discussion
NimbostratusSend Client authentication cert to server
I have LTM + APM setup.
Configured Client SSL profile which perfectly works and authenticates the user in APM.
While start connection to the server, the requirement is to share the same Client Authentication certificate to the server.
Is there any way to forward the SSL Client authentication certificate to backend server ?
3 Replies
Dave_WEmployee
Hello Muruga. Yes, starting in version 13.1 you can do this with SSL Client Certificate Constrained Delegation feature:
https://support.f5.com/csp/article/K72668381
This only works with Client Cert Auth. If you want to use On Demand Cert Auth then you would need go to version 15.1.
MurugaSorry, current version of my device is 12.1.3.6. Is it possible ?
youssef1Cumulonimbus
Hi,
You can use Proxy SSL feature functionnality:
https://support.f5.com/csp/article/K13385
You have to keep in mind the following point:
Proxy SSL supports only the RSA key exchange. For proper functioning, the client and server must not negotiate key exchanges or cipher suites that Proxy SSL does not support, such as the Diffie-Hellman (DH) and Ephemeral Diffie-Hellman (DHE) key exchanges, and the Elliptic Curve Cryptography (ECC) cipher suite. To avoid this issue, you can either configure the client so that the ClientHello packet does not include DH, DHE, or ECC; or configure the server to not accept DH, DHE, or ECC. Proxy SSL supports only the NULL compression method.
so you can not use all the ciphers that you want. you have restrictions and you have to decrease your security to implement this kind of architecture.
I propose the following points:
- SSL Client Certificate Constrained Delegation feature (see Dave's commentary)
- change backend server authentication (cert to kerberos ...).
you lose a lot of flexibility in making proxy ssl.
keep me in touch if you need more details.
regards
