Forum Discussion

Suhail_128143's avatar
Suhail_128143
Icon for Nimbostratus rankNimbostratus
Jul 16, 2004

SSL Accelerator API question

Hello again,     Here is a question on SSL proxy apis...     I see that the create() API takes in the certificate and key information for creating a proxy. This I imagine would s...
dev
devops
iControl
v4
Loc_Pham_101863's avatar
Loc_Pham_101863
Historic F5 Account
Jul 17, 2004
Suhail,

 

 

In Proxy::create, you're right that the key and cert filenames are used to set up the client-side of the proxy, i.e. they're used to negotiate/establish the client-side connection.

 

 

The set_key_file_name and set_cert_file_name, as you've guessed, are used to override the client-side key/cert file names used during the creation, respectively. Client-side key/cert files are required when clientside SSL is enabled.

 

 

Note: Depending on which version of the SDK you're using, we also have the Proxy::create_ex_2 and create_ex_3 methods that take in the server-side key/cert file names. And set_server_key_file_name and set_server_cert_file_name are used to override them respectively. Server-side key/cert files are not required, even when serverside SSL is enabled.

 

 

There can be more than one client-side certificate, i.e. through the use of the client-side chain, CA and certificate CA files. The proxy would then use the certificate CA (which contains one or more certificates) to advertise to the clients as those CAs trusted for client authentication. The certificate passed in by the client will be required to be signed by one of those CAs. More detailed information can be found in the OpenSSL documentation, or BIG-IP manual for SSL proxy.

 

 

Regards,

 

Loc