Emad
May 20, 2014Cirrostratus
SSL Handshake
How one can implement two way SSL or Mutual SSL. I have seen some topics/questions for it on DC but not able to find any final verdict.
Two-way (Mutual) SSL authentication is the requirement for both parties (client and server) to present identifying certificates to one another. In a "normal", non-mutual SSL handshake, the server always presents its certificate to the client. In mutual SSL auth, the server then requests the client's certificate within the handshake. To enable this functionality, there are generally 3 ways to do it:
Client SSL profile - the simplest option, set request or require in the client authentication section of the client SSL profile. You'll also need to, at a minimum, provide a trusted CA certificate (or certificate bundle) that the F5 will use to explicitly validate the client certificate trust "anchor".
Access Policy Manager - if you have APM licensed, you can use the On-Demand Cert Auth agent to request or require a client certificate as part of the access policy evaluation. You still need the trusted CA certificate (or CA bundle).
An iRule - the most complex approach, using an iRule to force SSL renegotiation and request/require a client certificate.
In all three cases, the F5 consumes the client certificate, performs validation against that certificate, and then exposes the x509 data from the certificate to the session. You can then use that x509 data to perform additional authentication, as required.