For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Advanced Threat Mitigations via SSL Intercept

SSL offload has been around for quite some time. But this technology was primarily developed for the web farm audience, offloading SSL traffic from the application servers and putting the load on app...
Published Feb 23, 2016
Version 1.0
AFM
dcsecurity16
fireeye
security
ssl
TMOS
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
candc's avatar
candc
Icon for Cirrus rankCirrus
Jul 27, 2017

How well does this work for pinned (HPKP) certificates.

Is it simply as straightforward as having the BIGIP remove or rewrite the 

Public-Key-Pins(-Report-Only)
header in 
HTTP_RESPONSE
, to one that is in line with the certs generated by your BIGIP?

I presume that, if you are implementing this in an environment that has already received some 

Public-Key-Pins
, you are at the mercy of the existing 
max-age
of those values, unless you can also influence the resetting of browser state amongst your users?