Forum Discussion

dlogsdonmd's avatar
dlogsdonmd
Icon for Nimbostratus rankNimbostratus
Feb 25, 2016

When would I use serverssl profile instead of clientssl profile?

Hello,

 

Our default for our VS objects is clientssl profiles. We typically create both an HTTP and HTTPS object. Assign a HTTP->HTTPS redirect to the HTTP object and configure and assign a clientssl profile to the HTTPS object. We do not install SSL certs on the servers.

 

The two main reasons are to 1. offload https processing load at the LTM and 2) to simplify certificate management.

 

We now have a request to pass HTTPS to the end webapp server as a means to get the site to do something the developer seems to not be able to get it to do with code. (I don't think passing the HTTPS to the server is going to fix the issue).

 

I have considered that using a serverssl profile might provide the needed encryption to the webapp servers without passing the decryption processing overhead. HOWEVER, my reading this morning seems to indicate the decryption would still be done at the end-server and we'd still need certificates on the servers as well.

 

Can someone help me understand what scenario would serverssl profile be appropriate?

 

Thanks much!

 

Diane

 

LTM
security

2 Replies

Sort By
  • arpydays's avatar
    arpydays
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2016

    If you have client ssl profile and server ssl profile you are doing 'ssl bridging'. This means that you are decrypting on the F5, then the F5 as a client starts a new ssl session with backend server This method allows the F5 to see layer7 traffic bbut the traffic is encrypted on both client side and server side of the connection.

     

  • Austin_Geraci_3's avatar
    Austin_Geraci_3
    Icon for Cirrus rankCirrus
    Feb 25, 2016

    Using the default serverssl profile on the server side in conjunction with a client-ssl clientside profile will effectively terminate ssl at your BIG-IP on the client side and then re-encrypt to the server - ie decrypt & re-encrypt.

     

    If you're doing anything that depends on looking into your stream, like using cookie persistence, you still need to terminate ssl on the client-side. If you don't, then no need for a clientside or serverside ssl profile, just pass the ssl right on through - but again you're limited to your persistence choices and any involved irules.

     

    Whether you pass ssl through or terminate and re-encrypt, the server would also need a cert and effectively decrypt ssl, as you suspect, you're not saving any processing cycles here. Note - The server can have an ica cert vs the real CA Cert, as SSL errors would not be seen by the client.