Forum Discussion
ashbeyk_127079
Nimbostratus
NimbostratusCant set advertised cert authorities
I have a rule which decides whether to request a cert depending on the URL requested.
The client Authentication section of the Client SSL profile is set to "Ignore" and the iRule contains:
if {($need_cert == 1) && ($have_cert == 0)} {
HTTP::collect
log local0. "Cert required, sent renegotiate"
SSL::cert mode require
SSL::renegotiate
This works OK but I now want to set the "Advertised Certificate Authorities" to only prompt the client for certs generated from a specific authority. The GUI doesnt let me set this unless I change the Client Certificate field to "Auto". I then get prompted for a client cert for every connection. I tried setting SSL::cert mode ignore in the CLIENT_ACCEPTED event but the command isnt valid here. Is there a way round this?
- You should be able to set that from the CLI even though the cert mode is ignore. The only downside is to be careful not to use the GUI to view that profile as it will reset it. We do have a CR addressing a very similary problem on a different post (you couldn't specify the CRL file if the cert mode was set to ignore). You could always call support and request a hotfix (this will potentially raise the priority on getting it fixed sooner rather than later).
ashbeyk_127079So I should be able to set the Cert Authorities? What would the command be? - I dont see an SSL:: option- We don't have an iRule command that changes any of the parameters that are derived from files (eg: key, cert, chain, CA, CRL, or client cert CA files).
- Whoops, I just realized you probably want to specify:
[root@hsibj1:Active] config bigpipe profile clientssl client cert ca 
hoolioCirrostratus
This would be great to fix in the GUI...
In the meantime, another user posted a solution which I've described in this post which does not break when the client SSL profile is viewed in the GUI:
how to specify a ca_bundle in an irule
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=790956&view=topic
Aaron