For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Jan 16, 2012

Catch specific SSL errors/failures???

Hi there     One of the requirements that I've been given is to try and catch certain SSL errors and return a more friendly error page, rather than the browser default...     A couple of ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 18, 2012

To request a client cert for specific URIs, you could:

set the client SSL cert mode to ignore

put the URIs you do or don't want to request a client cert for in a data group

in HTTP_REQUEST, check if the URI requires a client cert, set a variable to track that you've requested a client cert and then do:

 


 Force renegotiation of the SSL connection with a cert requested
set need_cert 1
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate

 

On the subsequent CLIENTSSL_CLIENTCERT event, check if the client presented a valid cert. If so, allow the request. If not, send a response and block the request.

I'm not sure if it helps or over complicates things, but I tested a related iRule for selective client cert requesting. But it includes OCSP validation and was done pre-10.1.0 when the SSL::cert was cached for us for the duration of the SSL session. Anyhow, here it is:

http://devcentral.f5.com/wiki/iRules.client_cert_request_by_uri_with_ocsp_checking.ashx

If all of this looks too complicated, you could try separating the content which requires a client cert to another virtual server and then use the iRule you've already written.

Aaron