For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eric_Frankenfie's avatar
Eric_Frankenfie
Icon for Nimbostratus rankNimbostratus
Feb 14, 2013

Client SSL Authentication

I have a virtual server using a client SSL profile to offload SSL processing, but I would like to take this a step further and require SSL client authentication to prevent man in the middle attacks. ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 10, 2013

The easiest thing would probably be to create two client SSL profiles: one with client authentication and one without, then create an address-based data group that contains your whitelist IPs/IP subnets. Here's what the iRule might look like:

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals my_ip_dg] } {
        SSL:profile noauth_clientssl
    } else {
        SSL::profile auth_clientssl
    }
}

where "my_ip_dg" is the name of the arbitrarily-named address-based data group, and "noauth_clientssl" and "auth_clientssl" are the names of the client SSL profiles - no auth and auth respectively.