Forum Discussion
Suhail_128143
Nimbostratus
NimbostratusSSL Accelerator API question
Hello again,
Here is a question on SSL proxy apis...
I see that the create() API takes in the certificate and key information for creating a proxy. This I imagine would set up the client side of the proxy to use the specified cert/key. This is what is negotitated with the client, correct?
Then again there are these apis set_cert_file_name() and set_key_file_name()...what are these for. Is this to override the one setup during create().
Also, can there be more than one client side certificate for a proxy instance? If so, how is the selection process? I mean how does the proxy know what certificate to send to a client?
Thanks in advance,
~Suhail
1 Reply
- Suhail,
In Proxy::create, you're right that the key and cert filenames are used to set up the client-side of the proxy, i.e. they're used to negotiate/establish the client-side connection.
The set_key_file_name and set_cert_file_name, as you've guessed, are used to override the client-side key/cert file names used during the creation, respectively. Client-side key/cert files are required when clientside SSL is enabled.
Note: Depending on which version of the SDK you're using, we also have the Proxy::create_ex_2 and create_ex_3 methods that take in the server-side key/cert file names. And set_server_key_file_name and set_server_cert_file_name are used to override them respectively. Server-side key/cert files are not required, even when serverside SSL is enabled.
There can be more than one client-side certificate, i.e. through the use of the client-side chain, CA and certificate CA files. The proxy would then use the certificate CA (which contains one or more certificates) to advertise to the clients as those CAs trusted for client authentication. The certificate passed in by the client will be required to be signed by one of those CAs. More detailed information can be found in the OpenSSL documentation, or BIG-IP manual for SSL proxy.
Regards,
Loc
