Forum Discussion

Edgar_Palamarch's avatar
Edgar_Palamarch
Icon for Nimbostratus rankNimbostratus
Oct 14, 2015

Client Authentication Based On URI

Hello, Currently, to configure client authentication on a URI, we create 2 client SSL profiles (one of which is parent for the other) and 2 iRules that check a data group against the URI list. The ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 14, 2015

That code actually just works on a single VIP. You just need the one client SSL profile that also has the Trusted Certificate Authorities option configured and Client Authentication set to "ignore". When the browser accesses the secure site URL, the iRule is forcing an SSL renegotiation and flipping the Client Authentication setting to "require".

 

  • iamsajjad's avatar
    iamsajjad
    Icon for Cirrus rankCirrus
    Jun 27, 2023

    Your expert feedback was helpful to implement similar conditional mTLS with confidence in 2023!

    In another article you nicely explained purpose of HTTP:collect. 1) I wonder why do we need HTTP:release? 2) Does it matter calling it at the beginning or end? 3) I don't good explanation. I found without this piece HTTP_REQUEST_SEND does not fire.

    Also, while we are renegotiation anyway 1) should we invalidate the ssl session? 2) What value it adds? 3) Otherwise, what's the pitafall not invalidating the session?

    Will aprpeciate your response.

    Thank you.