For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

moutons_119688's avatar
moutons_119688
Icon for Nimbostratus rankNimbostratus
Apr 28, 2014

SSL Mutual (Two-way) Authentication Load Balancing

We're being asked to provide SSL Mutual (Two-way) Authentication Load Balancing via LTM for an application served by Tomcat, but our developers aren't able to provide very much information regarding ...
application delivery
deployment
design
devops
iRules
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 29, 2014

Per the referenced article:

 

Mutual SSL provides the same things as SSL, with the addition of authentication and non-repudiation of the client authentication, using digital signatures

 

This in effect relates to client certificates. In any SSL negotiation the server's certificate is always presented, so mutual authentication would also require the client's certificate. Now in terms of the proxy layer, if you offload (and optionally re-encrypt) at the VIP, then you have two separate client-server SSL sessions: client side (client to F5 server) and server side: (F5 client to web server). If you don't decrypt, then you have a single tunneled SSL session between the client and web server.

 

So if you need to do mutual SSL on the client side of the proxy, that's pretty straight forward. If you need to do mutual SSL on the server side of the proxy, that too is possible (between the F5 client and web server). But if you need the client's certificate at the web server, your options are limited to tunneling and ProxySSL.