Forum Discussion
Skuba_85554
Nimbostratus
Nimbostratusbypassing client authentication
i've got a virtual server listening on 443 which uses both a certificate for SSL and also requires client authentication. this works fine
i've now been informed of another set of users ...
hoolio
Cirrostratus
CirrostratusThe clientssl profile you add to the virtual server should have client cert set to ignore and then the iRule dynamically requests (or requires) a client cert for specific URIs using the SSL:: commands.
If you set the cert mode to require, a client who doesn't send a cert when it's prompted will receive a TCP reset. If you want to handle this more gracefully, you could set the profile to request and then have the app send a response if no cert is present.
You'll probably want to insert the client cert in the session table and include some details about the cert in the HTTP headers in requests to the pool. This way the pool member can validate the cert before allowing the request. This could also be done in the iRule using the clientssl profile's Trusted CA cert field and the SSL::verify command.
Aaron
