For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 30, 2016

Doing client certificate request in the client SSL profile or doing it in APM with the On-Demand Cert Auth agent are going to provide the same result, with a few minor differences. In any case, you're setting request, which is a "soft fail", meaning that if a certificate error occurs, or if no certificate is presented at all, it'll fail open. This is what you need if some clients won't have a certificate, but it doesn't provide any built-in constraints. For that you'd need an iRule or APM code logic to read some attribute of the certificate and make a decision. If you used an agent in the VPE, you could look at attributes of the incoming client certificate with:

 

session.ssl.cert.*

where * could be any number of attributes. Here's a quick list of some of those attributes: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-6-0/5.html?sr=56810247

 

With this you could read the certificate subject, CN, issuer, validity dates, other attributes, and anything in the extensions field to make an access decision.