Forum Discussion

Adrien_Legros_1's avatar
Adrien_Legros_1
Icon for Altostratus rankAltostratus
Jan 21, 2010

Change SSLClient profile based on URI

Hello,

 

 

we have a groupe of application under the same hostname but with different URIs. Some applications require a client authentication with a certificate but others are public application without any client auth. So I need to use a simple ssl client profile for the public part and a ssl client profile with client auth for the other part. But How can I change the profile by looking at the Uri given by the request?

 

 

Example:

 

 

https://portal.test.com is a public part without any authentication

 

https://portal.test.com/secure needs a client certificate

 

 

Thanks.
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 21, 2010
    Hi Adrien,

     

     

    You could use an iRule to check the requested URI and selectively renegotiate the SSL handshake to request a client cert for restricted URIs.

     

     

    Which LTM version are you running?

     

     

    Aaron
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jan 22, 2010
    We are using version 10.0.1 htfx3 and we wil shortly use version 10.1

     

     

    To renegotiate the ssl, should I use the command ssl::renegotiate ?

     

     

    Thanks for your help.
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jan 25, 2010
    Hello, thanks for your help, I think I have an Irule that works more or less like I'd like too. One question more

     

    Here is the way I perform the ssl enhancement to ask the certificate but I do not know How the F5 choose the trusted CA as I did not configured it in the ssl profile (not needed for weak applications). How can I configure it to be sure it will choose the good one.

     

     

    HTTP::collect

     

    SSL::authenticate always

     

    SSL::authenticate depth 9

     

    SSL::cert mode require

     

    SSL::renegotiate

     

    no command for the trusted CA list ????
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2010
    Hi Adrien,

     

     

    You can configure the Trusted Certificate Authorities bundle in the client SSL profile only. There isn't an option to specify this or the advertised client cert bundle in an iRule. This would make a good request for enhancement though. If you'd like F5 to consider adding this functionality, you could open a case with F5 Support. If they give you an RFE CR number, could you reply here with it so others can reference it?

     

     

    Thanks,

     

    Aaron
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jan 25, 2010
    No problems to open the case and ask for the enhancement. I'll give you the feedback. Las question: If i can not choose the trusted CA in the Irule and I configure it in the profile, should my profile work with application that do not require client certificate and also with apps that requires the cert?

     

    Thanks.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2010
    If you don't request/require a client cert, the trusted client cert authority bundle shouldn't be used. I've used this configuration in an implementation before without any problems.

     

     

    Aaron