Forum Discussion

Andy_4962's avatar
Andy_4962
Icon for Nimbostratus rankNimbostratus
Feb 02, 2010

Client Certificate Request on demand

Hello group!     I can not seem to get a client cert request to appear to the end user a second time in a single session.     For authentication purposes, I want to allow the end...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 03, 2010
Hi Andy,

 

 

Thanks for the clarifying. So you're testing to a VIP with a client SSL profile set to request a client cert. You access a link containing "login", click cancel on the cert prompt, then click on a login link again and don't get a cert prompt?

 

 

IE (and most other browsers) will "remember" by default the user's selection (or non-selection) of a cert for the duration of the SSL session. I thought using SSL::session invalidate and SSL::renegotiate would force a new SSL session to be negotiated. And I thought in the process, the browser would prompt the user the next time a cert was requested by LTM.

 

 

To test, can you change your browser to prompt you on each request for a client cert? It might also help to log the SSL::sessionid value to see if a new SSL session is negotiated. You could also capture a tcpdump and use ssldump to decrypt/analyze the SSL handshakes:

 

 

ssldump -AedHr /var/tmp/encrypted.dmp -Nk /config/ssl/ssl.key/ssl.key > /var/tmp/decrypted.dmp.txt

 

 

Aaron