Forum Discussion
James_Yang_9981
Jun 06, 2006Altostratus
At last, I got this rules running:
when CLIENT_ACCEPTED {
set session_flag 0
}
when CLIENTSSL_HANDSHAKE {
log LOCAL0.warn "cert count=[SSL::cert count]"
if { [SSL::cert count] ==0 } {
log LOCAL0.warn "when client handshake,ssl cert count is 0,pass"
}
else {
log LOCAL0.warn "when clent handshake , two way cert founded and the cert count is [SSL::cert count] "
HTTP::release
}
log "Session flag is $session_flag"
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/manual/" } {
log "Requiring certificate...and tht request uri is :[HTTP::uri]"
if {[SSL::cert count] == 0} {
log local0. "when http request,ssl cert count is 0,now http collect"
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
log local0. "when http request,now renegotiating"
set session_flag 1
SSL::renegotiate
}
}
else {
log LOCAL0.warn "No cert needed,to server directly.And the uri is [HTTP::uri]"
}
log "Session_flag at end of http_request is $session_flag"
}
with this rule, I can change the authenticate mode from ignore to require depends on the URI customer requie. But it can only running on BIGIP 9.1.2 and can't running on BIGIP 9.4.0 beta one build 211. BIGIP 9.4 seems can't caputure the client cert after renegotiate.