Forum Discussion

tub91's avatar
tub91
Icon for Cirrus rankCirrus
Oct 18, 2022

Client Authentication with certificate on one URI only

Hello, I need your help figuring out how to troubleshoot a new implementation. We have a VIP exhibiting our service. The VIP has its own SSL client profile. Behind this VIP is an IIS which has 5 we...
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Oct 27, 2022

    Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.

    If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).