15-Dec-2021 12:27
Hey all,
At our company, we have a BIG-IP cluster bridging two networks, with servers / client on both sides (we also have the AWAF module which goes over HTTP requests).
Some of our websites require mutual TLS, but the thing is we have a lot of client certificates, and can't load all of them into BIG-IP.
Is there a way to forward the client certificate to the server? We need the certificates to be presented during the handshake and not sent as a header.
Thanks!
16-Dec-2021 00:06
F5 is a full proxy. If F5 is terminating SSL on the clientside, acting as TLS server and requesting for mTLS cert from the client, only way to send the cert to the backend node is parse the cert and send it in HTTP header.
If the backend node, needs to have clientcert directly from the client (without F5 sending it in a header), VIP needs to be configured as TLS pass-through (either performance layer 4 or standard VIP without http and ssl profiles)
OR you can try proxy-ssl feature
https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-ssl-administration/implementing-proxy-ssl-on-a-single-big-ip-system.html