Hi, Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if someone could confirm the follwing steps are correct to do this? Install a certificate on the web servers, a self signed certificate should be OK. Create a server side SSL profile on the LTM. Apply the SSL profile to the Virtual Server It seems very simple, am I correct? Also could this have any impact on the ASM as we are just starting to set this up? Thanks Darren

Yes it is that simple, ensure your Server side SSL profile trusts the Issuer and you are ok. I doubt it affects ASM as that module will inspecting after clientSSL and serverSSL but as I am about to implement ASM too I'll be interested in hearing any other comments too.

I agree it is that simple. In fact you can typically just use the default serverSSL profile. The only time I have created a sepperate profile is if I needed to support Sal client certs being sent to the backend. As for ASM, this will have no effect because the reencrypt doesn't occur until after ASM.

100% correct. It really is that simple. You CAN make it difficult if you like... But remember the trade offs. The biggest advantage of doing offload in the first place is not having to doit to the backend... So the backend doesn't have to do the processing... Of course with longer keylengths you can trade off security with a shorter keylength for the server side... But generally in most environments you're not buying a lot when you re-encrypt... If an attacker can snoop your backend traffic (WHich is what serverside SSL is guarding against), you're already broken... H

As someone who configures and maintains F5 boxes, I'm totally on board with Hamish's statements about re-encrypting not being necessary. With that said though, I also work in an environment where our security team has begun requiring it in certain areas. As long as physical access control is there, it's not a PCI requirement but re-encryption is almost considered a last line of defense in case someone internal goes rogue. Of course, if that's a true requirement, there are still opportunities to minimize the performance impact. As Hamish also mentioned, using a shorter keylength can be a great option. We have an application that cannot support larger than 1024-bit. Since CAs now require 2048 or larger, LTM essentially allowed the application to continue working.

We currently have this same setup where we are doing offloading on the LTM's, then from the LTM's to the web servers we are using the Server SSL functionality. The certs we are using on the Server SSL profile are the defaults. Everything works fine. Something that bothers me though is how this is actually working, for the Server SSL to work, the LTM is essentially acting as an SSL client to the server, correct? So how is the server decrypting the traffic from the LTM if it doesn't have the private key of default cert of the LTM? Thank you

Server-side SSL | DevCentral

24 Replies

fLyf5_21542
Nimbostratus
Oct 17, 2011
In continuation to above discussion; I have received server certificate generated( based on server csr) by CA and need to configure server SSL profile in LTM.

Should it require Importing server key; or is it ok to upload only the certificate.

Based on my understanding LTM acts as client and a client requires only SSL certificate to participate in SSL flow.

Please share your comments/advices.

Rgds

fLy
nitass
Employee
Oct 17, 2011
Should it require Importing server key; or is it ok to upload only the certificate. to do ssl offloading, we need both certificate and private key.

this is nice ssl profiles series by Jason

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086405/SSL-Profiles-Part-1.aspx

hope this is helpful.
fLyf5_21542
Nimbostratus
Oct 17, 2011
Hi nitass

Thanks for your response, I am still confused on why we need to get the key along with certificate from the server. LTM is going to be acting as client and in normal SSL Handshake, client uses only the public certificate.

Could you help me to understand this point.
nitass
Employee
Oct 17, 2011
sorry to confuse you. i might misunderstand you a bit.

in case of serverssl, if bigip does not need to present client certificate to pool member (client certificate authentication), you do not need to import anything to bigip. default serverssl profile could work.

however, if bigip has to supply client certificate to pool member, both client certificate and private key must be imported to bigip since private key is required to decrypt traffic between bigip and pool member.
Andrew_Husking
Cirrus
Oct 17, 2011
We use SSL offloading, and we have the cert and private key on most of our profiles, but we noticed when we generated one from an internally signed CA, we didn't get the private key, but we were still able to do the full SSL offloading that we would with any of our other sites that have both the cert and key.

Cheers
fLyf5_21542
Nimbostratus
Oct 17, 2011
I was checking serverssl profile configuration & have not seen option to send f5 certificate ( client certificate) to server.

When server send its ssl certificate to f5 ( client ) , why LTM need server's key...Isnt it private to the server

Also not sure on the impact of setting Server Authentication : Ignore
nitass
Employee
Oct 17, 2011
I was checking serverssl profile configuration & have not seen option to send f5 certificate ( client certificate) to server.it is certificate and key setting.

When server send its ssl certificate to f5 ( client ) , why LTM need server's key...Isnt it private to the server bigip does not need server (pool member)'s private key. the certificate and key i said is client's certificate and key which bigip has to present to pool member in case the pool member requires client certificate authentication. if the pool member does not do client certificate authentication, no certificate and key is needed to set in serverssl profile.

sol11220: Overview of the Server SSL profile

http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11220.html
fLyf5_21542
Nimbostratus
Oct 18, 2011
Big Big thanks to you nitass, I am clear with the ssl process now :)

In my case, other end device is another load balancer, and the server certificate is self signed by other LB ( not sure which device it is).

Is it a good idea to import server certificate to my LB, though I am not going to map it with any of the profile.
nitass
Employee
Oct 18, 2011
Is it a good idea to import server certificate to my LB, though I am not going to map it with any of the profile.if i were you, i wouldn't import it (since you know it is not used).

cheer! :-)
fLyf5_21542
Nimbostratus
Oct 18, 2011
he he , thanks man.

I just want f5 to recognise the certificate as trusted, could you tell me how can I do this.

I usually get certificate error whenever I access any page with self signed certificate, will f5 show similar behavior