Hi, Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if someone could confirm the follwing steps are correct to do this? Install a certificate on the web servers, a self signed certificate should be OK. Create a server side SSL profile on the LTM. Apply the SSL profile to the Virtual Server It seems very simple, am I correct? Also could this have any impact on the ASM as we are just starting to set this up? Thanks Darren

Yes it is that simple, ensure your Server side SSL profile trusts the Issuer and you are ok. I doubt it affects ASM as that module will inspecting after clientSSL and serverSSL but as I am about to implement ASM too I'll be interested in hearing any other comments too.

I agree it is that simple. In fact you can typically just use the default serverSSL profile. The only time I have created a sepperate profile is if I needed to support Sal client certs being sent to the backend. As for ASM, this will have no effect because the reencrypt doesn't occur until after ASM.

100% correct. It really is that simple. You CAN make it difficult if you like... But remember the trade offs. The biggest advantage of doing offload in the first place is not having to doit to the backend... So the backend doesn't have to do the processing... Of course with longer keylengths you can trade off security with a shorter keylength for the server side... But generally in most environments you're not buying a lot when you re-encrypt... If an attacker can snoop your backend traffic (WHich is what serverside SSL is guarding against), you're already broken... H

As someone who configures and maintains F5 boxes, I'm totally on board with Hamish's statements about re-encrypting not being necessary. With that said though, I also work in an environment where our security team has begun requiring it in certain areas. As long as physical access control is there, it's not a PCI requirement but re-encryption is almost considered a last line of defense in case someone internal goes rogue. Of course, if that's a true requirement, there are still opportunities to minimize the performance impact. As Hamish also mentioned, using a shorter keylength can be a great option. We have an application that cannot support larger than 1024-bit. Since CAs now require 2048 or larger, LTM essentially allowed the application to continue working.

We currently have this same setup where we are doing offloading on the LTM's, then from the LTM's to the web servers we are using the Server SSL functionality. The certs we are using on the Server SSL profile are the defaults. Everything works fine. Something that bothers me though is how this is actually working, for the Server SSL to work, the LTM is essentially acting as an SSL client to the server, correct? So how is the server decrypting the traffic from the LTM if it doesn't have the private key of default cert of the LTM? Thank you

Server-side SSL | DevCentral

24 Replies

nitass
Employee
Oct 18, 2011
I usually get certificate error whenever I access any page with self signed certificate, will f5 show similar behaviorif you mean serverssl, no if trusted certificate authorities is configured correctly. the default is none which means f5 will accept server (pool member)'s certificate signed by any ca.

The Trusted Certificate Authorities setting is optional. This setting is used to specify the CA(s) that BIG-IP trusts when verifying a server certificate. The default value is None, which means the BIG-IP system will accept a server certificate signed by any CA.

sol11220: Overview of the Server SSL profile

http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11220.html

I just want f5 to recognise the certificate as trusted, could you tell me how can I do this. you have to import ca certificate who signs server (pool member)'s certificate or server certificate itself (in case of self-signed) and set it as trusted certificate authorities.

hope this helps.
Arie
Altostratus
Jan 20, 2014
Some suggestions:

Depending on the security requirements, you may be able to save some cycles by using weaker encryption in the DMZ.
Use the longest expiration the security requirements allow. In my experience many organizations purchase certs with a one-year expiration because of financial/budget consideration and/or uncertainty regarding the life span of the web site. Setting the self-signed cert to expire later saves some administrative overhead.
Use the same self-signed cert in the DMZ for all VIPs if the security requirements allow it.

Forum Discussion

Server-side SSL

24 Replies

Recent Discussions

check add route default in f5 with mode ip forward node server to internet behind ltm f5

How can I recover my money from a fake Bitcoin investment website?

BUG Query

F5 Distributed cloud Account

Creating a GTM Pool error

Related Content

SSL Heartbleed server side iRule

Server Side SSL profile not match with Client side SSL profile?

Client-side vs Server-side Load Balancing

Server Side Profile not show the certificate

Client side to server side SNI relay iRule