Forum Discussion

smiley_dba_1116's avatar
smiley_dba_1116
Icon for Nimbostratus rankNimbostratus
Nov 05, 2012

Use a SSL cert to decrypt traffic

So here is the issue. Traffic that passes through the F5 is encrypted from the client straight to the members. The F5 dosent do the SSL termination, but just a pasthrough. Is it possible to get the Cert, add it into the LTM, and then use it in an iRule to look for a HTTP header?

 

 

client--HTTPS--->VS(HTTPS)--->HTTPS---->Member

 

Basic idea, load up the cert, create an iRULE to use the cert to decrypt the traffic while it passes the LTM.

 

 

RGW

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 05, 2012
    You'll need the SSL/TLS certificate AND private key installed on the BIG-IP. Then create an SSLClient profile and assign it to the relevant Virtual Server. You can then apply iRules and a host of other good LTM features. If you need to re-encrypt to the real servers too, you'll need to create an SSLServer profile and assign it to the VS too; this will contain the server certificate etc..
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Nov 05, 2012
    I think ProxySSL is the exact feature you are requting, and I blieve it s only in version 11. Search devcentral and askf5 for it.

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 05, 2012
    In a word, no.

     

     

    When the client sends its certificate to the server, it does so AFTER digitally signing a portion of the response with its private key. In order to pass the client's certificate in an SSL negotiation to the server, BIG-IP would have to have a copy of the client's private key.

     

     

    You have at least two options:

     

     

    1. ProxySSL - this is a "man-in-the-middle" SSL technique that allows the BIG-IP to be part of the SSL negotiation between endpoints. So you get complete end-to-end SSL but also the ability to (transparently) decrypt and inspect the HTTP data. It's available starting with v11.

     

     

    2. Decrypt and pass HTTP headers - if you can justify terminating the SSL at the BIG-IP (with the added performance benefit), this is a tried and true solution. Terminate the SSL and send the X509 certificate data in an HTTP header (or other data component).