For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dlogsdonmd's avatar
dlogsdonmd
Icon for Nimbostratus rankNimbostratus
Feb 25, 2016

When would I use serverssl profile instead of clientssl profile?

Hello,   Our default for our VS objects is clientssl profiles. We typically create both an HTTP and HTTPS object. Assign a HTTP->HTTPS redirect to the HTTP object and configure and assign a client...
LTM
security
Austin_Geraci_3's avatar
Austin_Geraci_3
Icon for Cirrus rankCirrus
Feb 25, 2016

Using the default serverssl profile on the server side in conjunction with a client-ssl clientside profile will effectively terminate ssl at your BIG-IP on the client side and then re-encrypt to the server - ie decrypt & re-encrypt.

 

If you're doing anything that depends on looking into your stream, like using cookie persistence, you still need to terminate ssl on the client-side. If you don't, then no need for a clientside or serverside ssl profile, just pass the ssl right on through - but again you're limited to your persistence choices and any involved irules.

 

Whether you pass ssl through or terminate and re-encrypt, the server would also need a cert and effectively decrypt ssl, as you suspect, you're not saving any processing cycles here. Note - The server can have an ica cert vs the real CA Cert, as SSL errors would not be seen by the client.