Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. Cheers, André -----Ursprüngliche Nachricht----- Von: Eric Covener [mailto:covener@xxxxxxxxx] Gesendet: Donnerstag, 26. Juni 2014 00:05 An: users@xxxxxxxxxxxxxxxx Betreff: Re: Client certificate auth behind f5 loadbalancer On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin <ms@xxxxxxxxxx> wrote: > in my understanding authentication using client certificates is just a > cryptographic validation of a public/private keypair over a already > established ssl-secured channel. > For example, it is possible to use a official certificate for the ssl > channel and my own ca for client certificate validation. It's part of the handshake, which can be later scrutinized by the application layer. However, there is no standard way to share the the client certificate authenticated by a proxy with a backend origin server, and no way at all that mod_ssl is willing to receive (that I am aware of) -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|