APM On-Demand Cert Auth agent resets the connection when handshake timeout occurs.

Hi Alexander.

I already deployed this kind of implémentation. And just like you, I had to increase the timeout. Indeed as explain F5 it is not good practice, because of secure attack risk.

Take back your use case: SSL Client Profile to ask certificate (Client Certificate Request option):

I think it's normal that it works, you set s the way the system handles client certificates to "Request", That's mean that the system requests a valid certificate from a client but always authenticate the client, whether you provide him with a certificate or not.

on the other hand if you would have configured it to " REQUIRE ", after 10 seconds without provide cert (smartcard) you will have a blank page... Timeout.

So for me the behaviour that you encounter is normal!!! and APM On-demand Cert Auth Agent is working correctly.

In general when we used Cert auth (in the majority of use cases) we do not need any manipulation of the user except the cert selection of course. In your cas you have smartcard and maybe an otp to enter. so you have to take into account the user behavior and the latency that it causes so your 10 seconds of timeout will not be appropriate in your case.

Let me now if you need additional information.

Regars,