SSL Accelerator API question

Suhail,

 

 

In Proxy::create, you're right that the key and cert filenames are used to set up the client-side of the proxy, i.e. they're used to negotiate/establish the client-side connection.

 

 

The set_key_file_name and set_cert_file_name, as you've guessed, are used to override the client-side key/cert file names used during the creation, respectively. Client-side key/cert files are required when clientside SSL is enabled.

 

 

Note: Depending on which version of the SDK you're using, we also have the Proxy::create_ex_2 and create_ex_3 methods that take in the server-side key/cert file names. And set_server_key_file_name and set_server_cert_file_name are used to override them respectively. Server-side key/cert files are not required, even when serverside SSL is enabled.

 

 

There can be more than one client-side certificate, i.e. through the use of the client-side chain, CA and certificate CA files. The proxy would then use the certificate CA (which contains one or more certificates) to advertise to the clients as those CAs trusted for client authentication. The certificate passed in by the client will be required to be signed by one of those CAs. More detailed information can be found in the OpenSSL documentation, or BIG-IP manual for SSL proxy.

 

 

Regards,

 

Loc