Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 With explicit proxy

Hi, How I can configure explicit proxy my client go to the application in the outside, the application has a client certificate request I need that f5 send certificate websites

Do I need add in server side the certificate that website is trust? (this is in server side because the server side is outside application

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So just to be clear,

  • Explicit forward proxy is different that SSL Forward Proxy. An explicit forward proxy is simply a forward proxy that the client knows about and has to talk to directly to reach external resources. By itself, an explicit forward proxy does not decrypt TLS traffic. An SSL Forward Proxy is designed specifically to decrypt outbound TLS traffic by forging the server certificate to the local client.
  • You CANNOT perform SSL Forward Proxy (decrypt and re-encrypt) on traffic that requires a client certificate. You may technically be able to statically define a certificate and key in the SSL Forward Proxy server SSL profile, but then this one certificate would be used for all server-side client cert TLS handshakes.
1
Comments on this Answer
Comment made 5 months ago by igorzhuk 69

Hi Kevin, that what I need - I need that all client used same cert for outside how i can configure this ?

0
Comment made 5 months ago by Kevin Stewart

You'd add a client certificate and private key to the server SSL profile.

0
Comment made 5 months ago by igorzhuk 69

why I need key? If f5 provide only the certificate when serverside request ?

0
Comment made 5 months ago by Kevin Stewart

Okay, so let's first clarify that you want to send a client certificate FROM the F5, to a remote server. The client certificate is static (the same) for all users, and defined in the server SSL profile.

If the above is a correct statement, then a private key is also required. As part of a mutual TLS handshake (where the client also presents a cert), the server sends a Certificate Request message, the client sends a Certificate message, and then the client sends a Certificate Verify message. The last message is a digitally-signed hash - a record of all previous message - signed with the client's private key. The server decrypts the hash with the client's public key (from the certificate) and compares the records. Therefore the client (the F5 in this case) must also possess the corresponding private key. This is the biggest reason why a client certificate (from the real client) cannot be passed through a middle-box that does decryption - because the middle box would never have access to the client's private key to create the digitally-signed Certificate Verify message in the TLS handshake.

1
Comment made 4 months ago by igorzhuk 69

Hi Kevin You have any KB or how-to configure SSL forward proxy with f5 provide a certificate for servers request?

0
Comment made 4 months ago by Kevin Stewart

If you're still talking about a static certificate hosted on the F5, then you'd simply upload the certificate and private key to the F5, and assign these to the Certificate and Key options in the server SSL profile.

0
Comment made 4 months ago by igorzhuk 69

Hi Kevin thanks for your help

Ok, this is for server-side

And what about the client side?

And I know that I need to export cert from CA and import it to BIGIP to client-side SSL profile how the f5 generate a certificate for each request? F5 need generate a certificate to the client from CA to the client request

BIGIP do that automatically? I need only checkbox the "SSL Foward Proxy" ?

0
Comment made 4 months ago by Kevin Stewart

SSL Forward Proxy re-issues server certificates. So basically, it pauses the client side TLS handshake at the ClientHello, completes a server-side TLS handshake, then uses the server certificate from that handshake to forge a new server certificate and resumes the client-side handshake with this new certificate. You enable SSL Forward Proxy in both the client and server SSL profiles

Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-0/16.html

0
Comment made 4 months ago by igorzhuk 69

Thanks, Kevin, tell me, please "With the BIG-IP system's SSL forward proxy functionality, you can encrypt all traffic between a client and the BIG-IP system, by using one certificate, and to encrypt all traffic between the BIG-IP system and the server, by using a different certificate."

without SSL Forward Proxy - when I use standard SSL profile in client side and server side with default certificate it not did same? What 's different in SSL handshake when I checkbox the SSL forward proxy or not?

0
Comment made 4 months ago by igorzhuk 69

i connfigure SSL Foward proxy on the client and server profile i have a explicithttp profile i connfigure my computer browser to go proxy via this VIP and i got error when i look at SSLDUMP i not see any SSL handshake why ?

0
Comment made 4 months ago by Kevin Stewart

SSL Forward Proxy is a mechanism for "forging" a server certificate to the client in a forward proxy scenario.

For inbound reverse proxy traffic, you own the server certificate, so external TLS requests from clients terminate at the F5 and clients are presented with the certificate on the F5.

For outbound forward proxy traffic, you do not own the remote www.google.com certificate (for example), so to decrypt this you must generate a new locally-issued/locally-trusted www.google.com certificate to send to the client. This is what the SSL Forward Proxy feature does. If you simply insert separate client and server SSL profiles on outbound traffic, users would get certificate errors for everything.

1
Comment made 4 months ago by Stanislas Piron 10454

Hi igorzhuk,

Kevin explained well how ssl forward proxy works!

If you want to configure it, you can follow this link for tmsh commands.

1
Comment made 4 months ago by igorzhuk 69

Thanks Kevin Stewart Thanks Stanislas Piron -Its work by your link

0