Forum Discussion
TLS Client Authentication from Server SSL Profile
Hi all
We have a requirement to enable an outbound (internet) flow from some internal servers. Sitting near the edge of the network is an LTM that will proxy the connection from the servers, and is...
Yann_Desmarest_
Nacreous
NacreousHi,
If you configure TLS Client Authentication on your backend server, you must disable SSL processing on the Virtual Server configured on the BIG-IP. TLS Client Authentication is not passed from clientside to serverside as F5 device doesn't have the private key of the user.
Alternatively, you can apply a valid certificate/key to the SSL Server profile to do client certificate authentication between the bigip device and the backend server. But it's only one certificate for all users.
Hi Yann
It is client authentication between the LTM and the target server we wish to do. We are not passing TLS from the real server to the target server via the LTM. There are two distinct TLS flows here:
Source internal server -> LTM (client SSL profile applied)
LTM -> target server on internet (server SSL profile applied)
The issue is the second flow. The LTM is sending the certificate to the target server as the target server is sending the Certificate Request message. However, it appears the LTM is not sending a Certificate Verify message which the target server is complaining about.
Thanks.
