For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Muruga's avatar
Muruga
Icon for Nimbostratus rankNimbostratus
Sep 20, 2019

Send Client authentication cert to server

I have LTM + APM setup.   Configured Client SSL profile which perfectly works and authenticates the user in APM.   While start connection to the server, the requirement is to share the same...
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Sep 23, 2019

Hi,

 

You can use Proxy SSL feature functionnality:

https://support.f5.com/csp/article/K13385

 

You have to keep in mind the following point:

Proxy SSL supports only the RSA key exchange. For proper functioning, the client and server must not negotiate key exchanges or cipher suites that Proxy SSL does not support, such as the Diffie-Hellman (DH) and Ephemeral Diffie-Hellman (DHE) key exchanges, and the Elliptic Curve Cryptography (ECC) cipher suite. To avoid this issue, you can either configure the client so that the ClientHello packet does not include DH, DHE, or ECC; or configure the server to not accept DH, DHE, or ECC. Proxy SSL supports only the NULL compression method.

 

so you can not use all the ciphers that you want. you have restrictions and you have to decrease your security to implement this kind of architecture.

 

I propose the following points:

 

- SSL Client Certificate Constrained Delegation feature (see Dave's commentary)

- change backend server authentication (cert to kerberos ...).

 

you lose a lot of flexibility in making proxy ssl.

 

keep me in touch if you need more details.

 

regards