Forum Discussion
Jan 28, 2015
Hi helm123,
the typical requirement would be to:
- provide the expected certificate to the client during handshake
- inspect http-payload (requires established SSL/TLS connection between client and virtual server)
- make a forwarding decision (considering persistency)
- re-encrypt http-payload before forwarding to selected real server (aka pool member)
For SSL/TLS termination between client and virtual server the client-ssl profile(s) is/are relevant.
For SSL/TLS communication between load balancer and real server the server-ssl profile(s) is/are relevant.
The client-ssl profile(s) contain(s) the server certificate, private key and intermediate CA certificate provided to the client.
The server-ssl profile(s) would contain client certificates to be provided to the real server (not required that often).
Switching SSL profiles is supported before doing the SSL/TLS handshake, i.e. after the CLIENT_ACCEPTED event is fired (right after 3-way handshake).
They cannot be changed, after the SSL/TLS connection was established to send a payload through the encrypted "tunnel".
I hope this helps a bit regarding the F5 terminology. :)
Thanks, Stephan