Forum Discussion

NIrving's avatar
NIrving
Icon for Nimbostratus rankNimbostratus
Feb 28, 2021

Proxy SSL and rejecting unwanted Client Authentication

Morning

I have a server configure for mTLS and I would like to be able to inspect the Client Certificate presented and reject if some criteria matches, preferably via Proxy SSL.

 

However from what I am seeing it looks like that the F5 LTM cannot see the handshake and therefore reject during negotiation. I am assuming that this is what is meant by application traffic, i.e non handshake traffic.

 

Is there a way I can keep client authentication on the backend server and still intercept the client SSL handshake so that I can perform a reject.

 

The reason is that I have a large number of clients out there that I need to do an IP check against based on details in the subjectdn of the client certificate. I.e I take a value from the dn and use it to lookup a value and reject if not valid.

 

I need to keep the client cert and pass it down to an AMQP instance as it is configured for client certificate authentication.

 

Could I for example generate a cert on the fly to pass through to the backend server? Or is there a better way to do this?

 

Nicholas

 

 

 

 

 

 

application delivery
BIG-IP
iRules
security

2 Replies

Sort By
    • NIrving's avatar
      NIrving
      Icon for Nimbostratus rankNimbostratus
      Mar 02, 2021
      Thanks Pete. I discovered this last night and manages to get it working in my lab. It's not ideal as it rewrites certificates and I need to work out if it can pass through our extension requirements, but it is looking promising. Once I figure out how to upvote will make this the answer and thanks for your time in replying