Forum Discussion
Server-side SSL
Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if someone could confirm the follwing steps are correct to do this?
Install a certificate on the web servers, a self signed certificate should be OK.
Create a server side SSL profile on the LTM.
Apply the SSL profile to the Virtual Server
It seems very simple, am I correct?
Also could this have any impact on the ASM as we are just starting to set this up?
Thanks
Darren
- Jason_KeatingAltostratusYes it is that simple, ensure your Server side SSL profile trusts the Issuer and you are ok.
- Steve_Brown_882Historic F5 AccountI agree it is that simple. In fact you can typically just use the default serverSSL profile. The only time I have created a sepperate profile is if I needed to support Sal client certs being sent to the backend. As for ASM, this will have no effect because the reencrypt doesn't occur until after ASM.
- HamishCirrocumulus100% correct. It really is that simple.
- Chris_MillerAltostratusAs someone who configures and maintains F5 boxes, I'm totally on board with Hamish's statements about re-encrypting not being necessary. With that said though, I also work in an environment where our security team has begun requiring it in certain areas. As long as physical access control is there, it's not a PCI requirement but re-encryption is almost considered a last line of defense in case someone internal goes rogue.
- markj_58101Nimbostratus
We currently have this same setup where we are doing offloading on the LTM's, then from the LTM's to the web servers we are using the Server SSL functionality. The certs we are using on the Server SSL profile are the defaults. Everything works fine. Something that bothers me though is how this is actually working, for the Server SSL to work, the LTM is essentially acting as an SSL client to the server, correct? So how is the server decrypting the traffic from the LTM if it doesn't have the private key of default cert of the LTM?
Thank you
- james_lee_31100NimbostratusJust use default serverside ssl profile, it works fine
- superuser_22978Nimbostratus
As F5 works as a full proxy device. Think it like this. When you try to launch a web page are you presenting any cert? No right. When the F5's front end ssl decrypts the traffic. F5 initiates an ssl handshake to the backend server where it gets the cert and public key from the backend server(treat f5 as your laptop here). Now f5 encrypts the traffic with public key offered and backend server decrypts with its private key.
Thank you.
- HamishCirrocumulusYou answered the question yourself. The server can decrypt stuff from the F5 (Client) because the shared session key (That's actually used to encrypt the traffic) is negotiated as part of the key exchange where the server uses it's own private key. The client side key doesn't get involved). The session between the LTM and the server is a completely different TLS (Or SSL) session from the client - LTM connection.
- markj_58101NimbostratusOK thanks, I see what you are saying. Now that I think about it it's actually fairly straight forward. The thing that confuses/d me is why you have the cert/key options on the Server SSL profile when the Server itself is providing the cert for encryption?
- HamishCirrocumulusMutual authentication.
- Joel_MosesNimbostratusI've only _very rarely_ seen a web server that requires SSL Mutual Authentication for incoming channels that isn't doing _client authentication_ with the presented certificate; it's certainly possible but is extremely uncommon. These servers are typically doing this for Web Services (J2EE/WCF) and aren't meant to be directly used by end-users. I think that the certificate/key field is left in the ServerSSL profile just for this eventuality?
- markj_58101NimbostratusOK great, Thank you for the answers.
Mark
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com