For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dazzla_20011's avatar
Dazzla_20011
Icon for Nimbostratus rankNimbostratus
Mar 25, 2011

Server-side SSL

Hi,     Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if some...
config
design
Chris_Miller's avatar
Chris_Miller
Icon for Altostratus rankAltostratus
Mar 25, 2011
As someone who configures and maintains F5 boxes, I'm totally on board with Hamish's statements about re-encrypting not being necessary. With that said though, I also work in an environment where our security team has begun requiring it in certain areas. As long as physical access control is there, it's not a PCI requirement but re-encryption is almost considered a last line of defense in case someone internal goes rogue.

 

 

Of course, if that's a true requirement, there are still opportunities to minimize the performance impact. As Hamish also mentioned, using a shorter keylength can be a great option. We have an application that cannot support larger than 1024-bit. Since CAs now require 2048 or larger, LTM essentially allowed the application to continue working.