Forum Discussion

ic3man1986_2846's avatar
ic3man1986_2846
Icon for Nimbostratus rankNimbostratus
Apr 10, 2017

Big IP proxy ssl feature question

Hi guys,

 

i´ve a question to the proxy ssl feature.

 

I had a virtual server, with a client and a server certificate. Both have the proxy ssl feature enable. Think it works fine. I´ll could authenticate against the backend server with a client certificate.

 

But the problem is the following.

 

From the client side I use the url https://test.domain.de with a corresponding official certificate .

 

In the backend, I must use a different certificate with the CN name from the backend server ().

 

Now, while the client requests the url https://test.domain.de, he gets an certificate error, because the certificate is from the backend server. So there is no matching between the url https://test.domain.de and the certificate from the backend server.

 

Is this normal, that the client gets the certificate from the backend server, while proxy ssl is enable? Or is there some configuration mistake?

 

Thanks for your help.

 

application delivery
BIG-IP
LTM
security

2 Replies

Sort By
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 18, 2017

    Hi,

     

    Be aware that Proxy SSL makes not much sense those days. Most of the ciphers used (especially DH) are breaking this functionality - BIG-IP is not able to decrypt traffic.

     

    Except some very special requirements when you have to ensure that BIG-IP is able to decrypt there is no point in using Proxy SSL, just let SSL traffic to go through BIG-IP encrypted.

     

    If you have to let BIG-IP decrypt traffic then you have to assure that your backend server will accept only ciphers that allow decryption on BIG-IP = rather ancient and not very safe ciphers.

     

    Piotr