SSL Certificates and PKI

Question

Our application allows users to log in to the web server using PKI certificates and all SSL offloading is done on the server. 
&nbsp;  
&nbsp; I was wondering if you could have a client connect to the BIGIP to a Client Side SSL profile, have the BIGIP decrypt, use IRULES for specific tasks, re-encrypt and send to server and still allow the users PKI cert to pass through to the web server? 
&nbsp;  
&nbsp; I did read that you can insert client cert info into the HTTP headers but I do not know much about that. 
&nbsp;  
&nbsp; I am new to the SSL Certs on the BIGIP so any help would be appreciated. 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; Thanks 
&nbsp; Mike

hoolio · Answer

Hi Mike, 
&nbsp;  
&nbsp; As Deb explained a while back, it isn't possible to have LTM use the client's cert to establish an SSL handshake with the pool members. 
&nbsp;  
&nbsp;  
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=22280&amp;ptarget=22289 
&nbsp;  
&nbsp; There is no mechanism by which to directly forward the client's certificate via the standard authentication process, since using the client's cert to establish the session would require the LTM to use the client's private key as well. (A man-in-the-middle attack, basically) 
&nbsp;  
&nbsp; You can instead use the session table to store the certificate &amp; send it to the server via headers, assuming your app can pick it up from there. Here's an example from the iRules codeshare: 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html 
&nbsp;  
&nbsp; HTH 
&nbsp; /deb 
&nbsp; &nbsp; 
&nbsp;  
&nbsp; Aaron

brian_thompson · Answer

Isn't this different now that SSL Proxy is an option in the SSL profile with the newer code?

kevin_stewart · Answer

Exactly! Given a copy of the server's private key, ProxySSL becomes a party to the key negotiation between the client and server so that it has a copy of the derived session key used for encryption. So while the BIG-IP is technically decrypting and re-encrypting, the client and server are completely unaware. 
&nbsp;  
&nbsp; That said, there are some limitations to what you can do with ProxySSL. The client and server have to be able to negotiate their SSL session uninterrupted. Any iRules you use must not alter the path or flow of the traffic.

Forum Discussion

SSL Certificates and PKI

Recent Discussions

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

did not show checkbox on chrome while access through f5

Related Content

Updating SSL Certificates on BIG-IP using REST API

Implementing SSL Orchestrator - Certificate Considerations

SSL Certificate Report

Help F5 Transform the BIG-IP Administrator Certification

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS