F5 SSL Everywhere

Recommendations

Info

RECOMMENDED PRACTICES F5 SSL Everywhere How all the clients got their certificates is a management problem all in itself. Typically all the clients are members of a well-funded organization (like a branch of the military) or Wall Street traders, for instance. And often the certificates reside on smart cards or other devices where they are accessed over public key cryptography standard (PKCS) protocol #11. Part 8 of the DevCentral series on SSL profiles provides a detailed breakdown of exactly how client certificate authentication works within the TLS handshake. Historically, the most common intersection of client certificate authentication and the F5 platform occurs in SSL termination and SSL bridging modes: the BIG-IP device is acting as the SSL server to a client on the Internet and authenticating that client’s certificate. The back-end servers, which trust the BIG-IP system, need to get information about the client certificate. There are three ways to forward that client certificate information to the servers: • X509 extraction The oldest trick (and still one of the easiest) is to extract and insert fields from the client certificate’s X509 directory information into the underlying HTTP stream as headers. A typical iRules script might include gathering the issuer of the client certificate and then inserting it into the HTTP request to the server as “F5_CLIENT_ ISSUER=[X509::issuer [SSL::cert 0]]”. See this DevCentral post for a more complete example. • X509 whole certificate extraction A similar method is to extract and insert the entire certificate itself into the HTTP stream as a multi-line PEM-encoded header. Obviously, the server-side code will have to reassemble the certificate. The server can do the reassembly using a code library or by executing the openssl x509 command. The iRules script to do this on the BIG-IP device would look as simple as: when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert “F5CC” [X509::whole [SSL::cert 0]] } } • ProxySSL mode There is a way to forward client certificates directly to the back-end server with a special F5 SSL setting called proxySSL mode. With proxySSL, the BIG-IP device must use the same certificate and key as the back-end server. Clients can then connect all the way through to the server and authenticate with their certificates. 20
RECOMMENDED PRACTICES F5 SSL Everywhere The BIG-IP device can provide passive monitoring of the session. ProxySSL should only be used when there is a requirement for client certificate authentication directly to the back-end servers. See SSL and the OWASP Top Ten later in this document for more information about proxySSL. F5 recommended practices for client certificates: • The SSL profile has a three-way setting for client certificate authentication: none, request, and require. When require is used and the client authentication fails for some reason (such as an expired certificate or OCSP failure), the user gets an ugly browser message. Some administrators use the request setting instead, which allows them to receive the certificate but passes the connection through even if authentication fails. When using the request setting, also use an iRules script that checks the certificate verification result and presents a more aesthetic error message or an HTTP 302 redirect. • Configure at least one revocation method—whichever one is best supported by the certificate authority—for client certificates. Certification revocation lists (CRLs) can be supported directly in the SSL profile. The other methods (OCSP and CRL distribution point or CRLDP) must be done via iRules. See the revocation section of this document for more information. • The TLS protocol includes a way to force a new handshake but without breaking the TCP connection. This is called a renegotiation and can be used to transition a client from one authenticated state (none) to another (client certificate authentication). However, the IETF frequently threatens to remove renegotiation, so consider it abandoned, and use it accordingly. • SSL forward proxy is a special mode that intercepts outbound SSL requests from a client on the inside of the BIG-IP platform boundary (inside the data center). This mode is used with the SSL outbound visibility deployment scenario. The BIG-IP device may try to intercept connections that are using client certificate authentication, but it will very likely not know what to do with the resulting connection. Whitelist any allowed, known hosts into a bypass list so that the BIG-IP device will not interfere. • There is a setting called “retain certificate” in clientssl profiles. This setting will improve the user experience by caching the client certificate across multiple connections (thereby avoiding extra popups in the browser). Enable this setting unless using a rare high-bandwidth, low-memory configuration where the extra few kilobytes associated with each connection could impact overall system performance. 21
Page 1 and 2: RECOMMENDED PRACTICES F5 SSL Everyw
Page 19: RECOMMENDED PRACTICES F5 SSL Everyw
Page 53: RECOMMENDED PRACTICES Advanced Thre

F5 SSL Everywhere

Create successful ePaper yourself

Delete template?

Save as template?