Forum Discussion

Dazzla_20011's avatar
Dazzla_20011
Icon for Nimbostratus rankNimbostratus
Mar 25, 2011

Server-side SSL

Hi,     Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if some...
config
design
markj_58101's avatar
markj_58101
Icon for Nimbostratus rankNimbostratus
Mar 31, 2011

We currently have this same setup where we are doing offloading on the LTM's, then from the LTM's to the web servers we are using the Server SSL functionality. The certs we are using on the Server SSL profile are the defaults. Everything works fine. Something that bothers me though is how this is actually working, for the Server SSL to work, the LTM is essentially acting as an SSL client to the server, correct? So how is the server decrypting the traffic from the LTM if it doesn't have the private key of default cert of the LTM?

 

Thank you

 

 

  • james_lee_31100's avatar
    james_lee_31100
    Icon for Nimbostratus rankNimbostratus
    Apr 15, 2016
    Just use default serverside ssl profile, it works fine
  • superuser_22978's avatar
    superuser_22978
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2017

    As F5 works as a full proxy device. Think it like this. When you try to launch a web page are you presenting any cert? No right. When the F5's front end ssl decrypts the traffic. F5 initiates an ssl handshake to the backend server where it gets the cert and public key from the backend server(treat f5 as your laptop here). Now f5 encrypts the traffic with public key offered and backend server decrypts with its private key.

     

    Thank you.