Forum Discussion

Mike_Rausch_628's avatar
Mike_Rausch_628
Icon for Nimbostratus rankNimbostratus
Mar 17, 2010

SSL Certificates and PKI

Our application allows users to log in to the web server using PKI certificates and all SSL offloading is done on the server.

 

 

I was wondering if you could have a client connect to the BIGIP to a Client Side SSL profile, have the BIGIP decrypt, use IRULES for specific tasks, re-encrypt and send to server and still allow the users PKI cert to pass through to the web server?

 

 

I did read that you can insert client cert info into the HTTP headers but I do not know much about that.

 

 

I am new to the SSL Certs on the BIGIP so any help would be appreciated.

 

 

 

 

Thanks

 

Mike
config
design

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2010
    Hi Mike,

     

     

    As Deb explained a while back, it isn't possible to have LTM use the client's cert to establish an SSL handshake with the pool members.

     

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=22280&ptarget=22289

     

     

    There is no mechanism by which to directly forward the client's certificate via the standard authentication process, since using the client's cert to establish the session would require the LTM to use the client's private key as well. (A man-in-the-middle attack, basically)

     

     

    You can instead use the session table to store the certificate & send it to the server via headers, assuming your app can pick it up from there. Here's an example from the iRules codeshare:

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

     

     

    HTH

     

    /deb

     

     

     

     

    Aaron
  • Brian_Thompson's avatar
    Brian_Thompson
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2012
    Isn't this different now that SSL Proxy is an option in the SSL profile with the newer code?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 03, 2012
    Exactly! Given a copy of the server's private key, ProxySSL becomes a party to the key negotiation between the client and server so that it has a copy of the derived session key used for encryption. So while the BIG-IP is technically decrypting and re-encrypting, the client and server are completely unaware.

     

     

    That said, there are some limitations to what you can do with ProxySSL. The client and server have to be able to negotiate their SSL session uninterrupted. Any iRules you use must not alter the path or flow of the traffic.