0

My organization recently added F5 SSL Orchestrator to our network that ended up breaking one of our SSL certs. There is an explanation of how SSL Orchestrator works from F5 here. The description from F5 explains that encrypted SSL traffic is decrypted and inspected for malicious traffic and then re-encrypted and sent on its way.

My question is how can this be done without SSL Orchestrator getting access to the private keys of the client and server? I thought the purpose of SSL was to prevent third parties from intercepting traffic.

Also it appears that SSL orchestration is breaking some certs while not affecting others. Is there any reason why certain certs do not work with SSL orchestration?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Daniel Haverporth
  • 1
  • 5
    Does this answer your question? [How does SSL Proxy server in company work?](https://security.stackexchange.com/questions/133254/how-does-ssl-proxy-server-in-company-work) – ysdx Aug 24 '21 at 22:54
  • It's important to note that the product is called "Orchestrator". But what it does is not "orchestration". It performs TLS inspection/interception. It's called "Orchestrator" because once TLS is broken, it can orchestrate the other services it provides to deal with the content. – schroeder Aug 25 '21 at 09:59

1 Answers1

1

... getting access to the private keys of the client and server

No private keys of clients are involved here in the first place. These private keys of the server certificates are relevant though, so either the F5 needs to get access to the original certificates and keys, or new certificates with keys for the same domains need to be created specifically for the F5.

... SSL was to prevent third parties from intercepting traffic

F5 is the SSL endpoint here from the perspective of the client, i.e. it is not third party. This is how SSL termination in reverse proxies like load balancers or Web Application Firewalls or content delivery networks works. That the connection between F5 and the original server is also done using TLS is a detail the client does not see.

... Is there any reason why certain certs do not work with SSL orchestration?

I doubt that there is an inherent limitation, at least assuming modern certificates acceptable to common browsers. It is likely just misconfiguration. No specifics about the problems can be derived though from this broad statement so no more specific answer is possible.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424