For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Rausch_628's avatar
Mike_Rausch_628
Icon for Nimbostratus rankNimbostratus
Mar 17, 2010

SSL Certificates and PKI

Our application allows users to log in to the web server using PKI certificates and all SSL offloading is done on the server.     I was wondering if you could have a client connect to the B...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 17, 2010
Hi Mike,

 

 

As Deb explained a while back, it isn't possible to have LTM use the client's cert to establish an SSL handshake with the pool members.

 

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=22280&ptarget=22289

 

 

There is no mechanism by which to directly forward the client's certificate via the standard authentication process, since using the client's cert to establish the session would require the LTM to use the client's private key as well. (A man-in-the-middle attack, basically)

 

 

You can instead use the session table to store the certificate & send it to the server via headers, assuming your app can pick it up from there. Here's an example from the iRules codeshare:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

 

HTH

 

/deb

 

 

 

 

Aaron