Upon Client Hello sent by Client BIG-IP rushes to open new connection and completes server-side SSL handshake: Client-side handshake completes successfully using above dynamically generated custom certificate just created by BIG-IP and data exchange works as expected.Īctual capture used for below explanation is attached to this article below (and here ssl-forward-sample-3.pcap ).All X.509 extensions allowed in cert-extensions-include are also copied from server1.crt to unique custom certificate.Validity: notBefore (copied from server1.crt), notAfter: 30 days counting from time it was generated (configurable via cert-lifespan or Certificate Lifespan in the GUI).BIG-IP creates unique certificate with following information and sends it over via Server Hello:.BIG-IP immediately opens connection with web server and completes SSL handshake.Client opens connection with BIG-IP and sends Client Hello.
The most common use case is Secure Web Gateway (SWG), although neither APM nor SWG are needed to deploy SSL Forward Proxy functionality. LTM is enough. The client trusts the connection and is unaware of BIG-IP's presence. When this feature is enabled, BIG-IP uses a pre-installed CA set under proxy-ca-cert ( CA Certificate in the GUI) that is also trusted by client's browser and BIG-IP pretends to be the Internet destination by re-signing SSL certificates on the fly with the aforementioned CA and using public key from CA configured under cert on BIG-IP. The idea behind this feature is to allow BIG-IP to sniff into SSL connections to any Internet destination that goes through it whilst preserving client's trust of the destination. Related articles: SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark Summary
0 kommentar(er)
