Forum Discussion

Akhtar_109015's avatar
Akhtar_109015
Icon for Nimbostratus rankNimbostratus
Nov 07, 2013

SSL offload verification

Dear All,   I have just finished configuring SSL offload (client---HTTPS---F5-----HTTPS----Server), so i had to configure both client and server ssl profile. I had to use the same certificate for ...
design
ssl offload
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 07, 2013

In this case shall we offload the server ssl ? because when I just did enable the client ssl offload the application didn't worked and after adding server ssl offload the application started working.

 

So because you need SSL on both sides of the F5, you absolutely need both client and server SSL profiles.

 

My second query is related to a different HTTPS application. The client certificate has to be passed on to the server through F5 for the application to work. So for this application do we have to configure SSL proxy feature ?

 

You're on the right track. Once you offload the SSL on the proxy, there is NO WAY to pass the client certificate to the back end server in an SSL negotiation. Basically, the client digitally signs its certificate with its private key when it sends it over. The server uses this digital signature to validate integrity in transit and non-repudiation. Once the SSL negotiation is complete, that digital signature is destroyed. In order to send the client's certificate to the server side, the proxy would have to be able to again digitally sign it, but because the proxy doesn't have access to the client's private key, this cannot happen. The ProxySSL function, which is available in 11.1 and above, performs an SSL man-in-the-middle function such that the client negotiates SSL directly with the server, but because the F5 has a copy of the server's private key, it can silently derive the same session encryption key and decrypt the payload for inspection. This would be the only way, short of not offloading SSL at all, to get the client's certificate to the server in an SSL negotiation. That said, there are some limitations to what you can do with ProxySSL in place, and you'll want to move to at least 11.3 HF5 for some significant stability improvements.

 

Is there any way to configure dynamic CRL in SSL profiles because I cant see that option in 11.4

 

That isn't an option in any version, and absolutely not something that can be done with ProxySSL (since the SSL end point is the back end server). For simple SSL offload, there are shell scripts floating around DevCentral that allow you to dynamically manage and refresh the CRLs in the client SSL profile.