Forum Discussion

atoth's avatar
atoth
Icon for Cirrus rankCirrus
Oct 21, 2015

2-Way SSL Authentication with irules.

I've got a requirement to implement an irule on an vip, which would redirect traffic to another vip on the same LB, based on a simple uri. Easy-peasy, right? However, it turns out that the customer is using two-way SSL authentication. Now this thread( https://devcentral.f5.com/questions/2-way-ssl-implementation-25325 ) was most helpful, but I still have a few questions.

 

  • 1)The customer's SSL certificate is self-signed. From what I understand, this won't fly, and they must get a certificate with an intermediate cert bundle that can be installed on the F5. Correct?
  • 2)All the modifications take place on the client profile. I need to set Client Authentication to request or require and specify the intermediate cert bundle in this section as well.
  • 3)Can I set a server ssl profile on the originating vip(VIP1). VIP2, doesn't have ssl traffic offloading enabled.
  • 4)If I can't set a server ssl profile on VIP1, what happens to the default traffic will is going to the pool under VIP1?
  • Comments inline.

     

    1)The customer's SSL certificate is self-signed. From what I understand, this won't fly, and they must get a certificate with an intermediate cert bundle that can be installed on the F5. Correct?

     

    The burden of trust here is on the client in this case, so you technically can use a self-signed server certificate, but NEVER a best practice.

     

    2)All the modifications take place on the client profile. I need to set Client Authentication to request or require and specify the intermediate cert bundle in this section as well.

     

    Correct. The Client Authentication option will set the VIP to request a client certificate (mutual PKI authentication). The settings dictate what happens if the user doesn't provide a certificate or if certificate validation fails. Request is a "fail open" and Require is a "fail closed". The Trusted Certificate Authorities option in a single or bundle of certificate authority (CA) certificates. This needs to be the complete chain of CAs up to and including the self-signed root CA.

     

    3)Can I set a server ssl profile on the originating vip(VIP1). VIP2, doesn't have ssl traffic offloading enabled.

     

    A server SSL profile is only needed if you need to re-encrypt to the server. It has no bearing on client side mutual authentication.

     

    4)If I can't set a server ssl profile on VIP1, what happens to the default traffic will is going to the pool under VIP1?

     

    It won't be encrypted.