For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

APM On-Demand Cert Auth failure even though cert exists and is valid

I have a multi-path VPE. The first path is for automated systems which are detected based on client ip and take a branch using that logic. I know this path is working because I already have systems u...
application delivery
BIG-IP Access Policy Manager (APM)
ackaljn's avatar
ackaljn
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

I've noticed the session.ssl.cert.valid variable values seem backwards. Pulled from a currently connected session that went through a On-Demand Cert Auth:

 

session.ssl.cert.exist=1

 

session.ssl.cert.valid=0

 

session.ssl.cert.whole contains the entire cert, it should exist if the client presents a cert.

 

I looked at the default successful branch rule for On-Demand Cert Auth and its "expr { [mcget {session.ssl.cert.valid}] == "0" }"