For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Emad's avatar
Emad
Icon for Cirrostratus rankCirrostratus
May 20, 2014

SSL Handshake

How one can implement two way SSL or Mutual SSL. I have seen some topics/questions for it on DC but not able to find any final verdict.

 

application delivery
deployment
LTM

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 20, 2014

    Two-way (Mutual) SSL authentication is the requirement for both parties (client and server) to present identifying certificates to one another. In a "normal", non-mutual SSL handshake, the server always presents its certificate to the client. In mutual SSL auth, the server then requests the client's certificate within the handshake. To enable this functionality, there are generally 3 ways to do it:

     

    1. Client SSL profile - the simplest option, set request or require in the client authentication section of the client SSL profile. You'll also need to, at a minimum, provide a trusted CA certificate (or certificate bundle) that the F5 will use to explicitly validate the client certificate trust "anchor".

       

    2. Access Policy Manager - if you have APM licensed, you can use the On-Demand Cert Auth agent to request or require a client certificate as part of the access policy evaluation. You still need the trusted CA certificate (or CA bundle).

       

    3. An iRule - the most complex approach, using an iRule to force SSL renegotiation and request/require a client certificate.

       

    In all three cases, the F5 consumes the client certificate, performs validation against that certificate, and then exposes the x509 data from the certificate to the session. You can then use that x509 data to perform additional authentication, as required.

     

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    May 22, 2014

    Kevin this is very useful information. Do I do use non-CA root certificate so do i have to advertise it also?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 22, 2014

    Not sure what you mean by a "non-CA root certificate". Do you mean a non-root CA certificate, or a non-CA (ie. standard web server) certificate?

     

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    May 26, 2014

    Its CA Root certificate which i need to validate client cert,

    Currently its not a trusted one i.e. 

    "This CA Root certificate is not trusted because it is not in the Trusted Root Certification authorities store."
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 26, 2014

    Its CA Root certificate which i need to validate client cert

     

    ca certificate (i.e. certificate which signed certificate client sends) has to be configured in clientssl profile (i.e. trusted certificate authorities setting).

     

    This CA Root certificate is not trusted because it is not in the Trusted Root Certification authorities store.

     

    if this is an error showing on browser, the problem is on certificate bigip sends (i.e. not certificate client sends to bigip). it means the certificate is signed by ca certificate which is not stored in trusted root certificate authorities on client.