Forum Discussion
SSL offload verification
Dear All,
I have just finished configuring SSL offload (client---HTTPS---F5-----HTTPS----Server), so i had to configure both client and server ssl profile. I had to use the same certificate for offloading in front end as well as backend. I want what is the best practice in this scenario should we use different certificates for client-ssl and server-ssl ?
Is there any we can verifiy ssl offloading through packet traces ? (e.g. client to F5 (SSL) session and then F5 to Server (SSL) session and so on the reply from server to F5 and then forwarding to the client from F5 ?
Regards,
Akhtar
- Kevin_StewartEmployee
I want what is the best practice in this scenario should we use different certificates for client-ssl and server-ssl
Generally speaking, the F5 is a full layer 4-7 proxy, so the client SSL session is completely separate from the server SSL session. The client SSL profile will affect how the F5 establishes an encrypted session with the client, and the server SSL profile will affect how the F5 establishes an encrypted session with the server. In many case, you don't have to specify a certificate at all in the server SSL profile, as this will be a generic (non-client) SSL session. This is, however, dependent on what the web server requires. You also don't have to re-encrypt the traffic at all. You could simply terminate the client side SSL and pass the unencrypted traffic to non-SSL web servers. Again, depending on you environment, these web servers are being protected by a default-deny security appliance. You may also save yourself some processing overhead by offloading the SSL at the F5 and not requiring it on the server side.
Is there any we can verifiy ssl offloading through packet traces ?
If you're offloading SSL on the client side and re-encrypting on the server side, then all ingress traffic (traffic coming to the F5), and egress traffic (traffic leaving the F5) will be encrypted. If you want to verify that the F5 is successfully offloading the SSL, simply apply a layer profile to the VIP (ex. HTTP) and attempt to process layer 7 data in an iRule. Example:
when HTTP_REQUEST { log local0. [HTTP::host] }
If this displays the request Host header in the LTM log, then you know SSL is being offloaded and that the F5 has access to the unencrypted payload in the middle.
- Kevin_StewartEmployee
In this case shall we offload the server ssl ? because when I just did enable the client ssl offload the application didn't worked and after adding server ssl offload the application started working.
So because you need SSL on both sides of the F5, you absolutely need both client and server SSL profiles.
My second query is related to a different HTTPS application. The client certificate has to be passed on to the server through F5 for the application to work. So for this application do we have to configure SSL proxy feature ?
You're on the right track. Once you offload the SSL on the proxy, there is NO WAY to pass the client certificate to the back end server in an SSL negotiation. Basically, the client digitally signs its certificate with its private key when it sends it over. The server uses this digital signature to validate integrity in transit and non-repudiation. Once the SSL negotiation is complete, that digital signature is destroyed. In order to send the client's certificate to the server side, the proxy would have to be able to again digitally sign it, but because the proxy doesn't have access to the client's private key, this cannot happen. The ProxySSL function, which is available in 11.1 and above, performs an SSL man-in-the-middle function such that the client negotiates SSL directly with the server, but because the F5 has a copy of the server's private key, it can silently derive the same session encryption key and decrypt the payload for inspection. This would be the only way, short of not offloading SSL at all, to get the client's certificate to the server in an SSL negotiation. That said, there are some limitations to what you can do with ProxySSL in place, and you'll want to move to at least 11.3 HF5 for some significant stability improvements.
Is there any way to configure dynamic CRL in SSL profiles because I cant see that option in 11.4
That isn't an option in any version, and absolutely not something that can be done with ProxySSL (since the SSL end point is the back end server). For simple SSL offload, there are shell scripts floating around DevCentral that allow you to dynamically manage and refresh the CRLs in the client SSL profile.
- Akhtar_109015Nimbostratus
**_This would be the only way, short of not offloading SSL at all, to get the client's certificate to the server in an SSL negotiation. That said, there are some limitations to what you can do with ProxySSL in place, and you'll want to move to at least 11.3 HF5 for some significant stability improvements._**
We are running 11.4 HF3, keeping that in mind would there be any limitation in doing inspection ? like ASM.
- Kevin_StewartEmployee
You can absolutely layer in ASM with ProxySSL.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com