Way to pass client cert through vip to the servers.

Question

I've got a customer with a vip set up. This vip has SSL Offloading enabled with a client and serverssl profile enabled on it. He want to have it so his client cert is passed through the vip so that it reaches his servers. He also doesn't want to disable SSL offloading as this causes other problems. Is there an irule that can do this? Or possibly some other way? He wants the ca certs and key to be passed as well, in addition to the main cert.

andrew-f5 · Answer

Hi atoth,&nbsp;It sounds like you're describing our SSL proxy feature noted here, https://support.f5.com/csp/article/K13385?sr=33588210. &nbsp;Can you review that document and see if it matches your needs?&nbsp;Best,Andrew

jaikumar_f5 · Answer

In default scenarios, the serverssl profile which we create does not have the cert in it. The default property is none. So basically the backend server does not perform any authentication for the LTM.

In certain cases, the backend server would require authentication, so we are required to put a cert on the server ssl profile.

In your case, since the flow is like a proxy, you can get the client certificate and put it on the server ssl profile.

So when the connections flows, this client cert will be provided by LTM to the backend servers.

atoth · Answer

SSL proxy may have worked, but at the moment, it seems like the customer will be going with just having SSL offloading removed.

Forum Discussion

Way to pass client cert through vip to the servers.

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Client vs Server SSL profile

STARTTLS Server SMTP with cleartext and STARTTLS client support

Client-side vs Server-side Load Balancing

Using Client Subnet in DNS Requests

iRule based RADIUS Client Stack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS