For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smiley_dba_1116's avatar
smiley_dba_1116
Icon for Nimbostratus rankNimbostratus
Nov 05, 2012

Use a SSL cert to decrypt traffic

So here is the issue. Traffic that passes through the F5 is encrypted from the client straight to the members. The F5 dosent do the SSL termination, but just a pasthrough. Is it possible to get the C...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 05, 2012
In a word, no.

 

 

When the client sends its certificate to the server, it does so AFTER digitally signing a portion of the response with its private key. In order to pass the client's certificate in an SSL negotiation to the server, BIG-IP would have to have a copy of the client's private key.

 

 

You have at least two options:

 

 

1. ProxySSL - this is a "man-in-the-middle" SSL technique that allows the BIG-IP to be part of the SSL negotiation between endpoints. So you get complete end-to-end SSL but also the ability to (transparently) decrypt and inspect the HTTP data. It's available starting with v11.

 

 

2. Decrypt and pass HTTP headers - if you can justify terminating the SSL at the BIG-IP (with the added performance benefit), this is a tried and true solution. Terminate the SSL and send the X509 certificate data in an HTTP header (or other data component).