Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols prevent client devices from presenting certificates to server devices if an intermediary proxy device, such as a network traffic management apparatus, is offloading and optionally re-encrypting SSL communications between both devices. The client device must sign its certificate response to the network traffic management apparatus with its private key, and since the network traffic management apparatus does not have a copy of the client device's private key, it cannot re-sign the certificate to present it to the server device.
However, network traffic management apparatuses can tunnel the client-server SSL communications. Using a tunnel, the client device and server device can establish a true end-to-end SSL session and the client device can pass its certificate. However, such tunneling does not allow the network traffic management apparatus to analyze data (e.g., connection/session data) above OSI layer 4, or to use any such data to provide proxy functions (e.g., security services or load balancing). Accordingly, with tunneling, much of the intelligence of network traffic management apparatuses cannot be utilized.
Network traffic management apparatuses can also perform an SSL man-in-the-middle function, commonly referred to as ProxySSL. ProxySSL allows a client device and a server device to establish an end-to-end SSL session, but also allows a network traffic management apparatus to derive the same session encryption key to be able to transparently decrypt and inspect higher level payload data. However, ProxySSL does not support all cipher suites that a client device and server device may use and, accordingly, is of limited utility. More specifically, network devices are increasingly only supporting relatively secure ephemeral ciphers that will not allow network traffic management apparatuses to take advantage of ProxySSL.
In one particular example, network traffic management apparatuses are not able to utilize ProxySSL techniques to analyze payloads associated with communications encrypted using Perfect Forward Secrecy (PFS) encryption, which utilizes such ephemeral keys and is increasingly used in communication networks. Accordingly, network traffic management apparatuses cannot effectively provide services that require higher level payload data for SSL connections between client and server devices in many communication networks.