For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Aug 11, 2009

bypassing client authentication

i've got a virtual server listening on 443 which uses both a certificate for SSL and also requires client authentication. this works fine     i've now been informed of another set of users ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 14, 2009
The clientssl profile you add to the virtual server should have client cert set to ignore and then the iRule dynamically requests (or requires) a client cert for specific URIs using the SSL:: commands.

 

 

If you set the cert mode to require, a client who doesn't send a cert when it's prompted will receive a TCP reset. If you want to handle this more gracefully, you could set the profile to request and then have the app send a response if no cert is present.

 

 

You'll probably want to insert the client cert in the session table and include some details about the cert in the HTTP headers in requests to the pool. This way the pool member can validate the cert before allowing the request. This could also be done in the iRule using the clientssl profile's Trusted CA cert field and the SSL::verify command.

 

 

Aaron