For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VladTC_372671's avatar
VladTC_372671
Icon for Nimbostratus rankNimbostratus
Sep 21, 2018

SSL Client certificaet forward with BigIp

Hello,   I need support with a problem that I'm facing right now... I have a WebApi hosted on IIS server that can be accessed only with a client certificate. The validation is made in the WebApi. ...
BIG-IP
devops
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 21, 2018

As Youssef states, ProxySSL can only be used if you can force the client and server to use a non-perfect forward secret (RSA) TLS handshake key exchange. This becomes harder to do as modern browsers remove RSA as an option, or when TLSv1.3 removes it completely.

 

The better option would be Client Certificate Constrained Delegation (C3D). This is a feature added in 13.1 that allows you to "forge" a client certificate to a local server. Using a local certificate authority certificate and private key that the server trusts, C3D consumes the client certificate, validates and checks revocation (OCSP, CRL), and then creates a new locally-issued client cert on the fly with all of the attributes of the original client cert, and presents that to the server. In this way you can continue to perform mutual auth on the server, and still explicitly decrypt and re-encrypt on the F5.

 

Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/4.html

 

Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/9.html