Forum Discussion

Nimbostratus

Sep 09, 2005

(Client) SSL profiles config from iRules

Hi all, First I have to say that this forum is really great: I found so many indications here... thank you everybody!! I hope this topic will contribute to this rich source of information... I...

Altostratus

Jun 06, 2006

At last, I got this rules running:


when CLIENT_ACCEPTED {
  set session_flag 0
 }
when CLIENTSSL_HANDSHAKE {
  log LOCAL0.warn "cert count=[SSL::cert count]"
  if { [SSL::cert count] ==0 } {
    log LOCAL0.warn "when client handshake,ssl cert count is 0,pass"
  }
  else {
    log LOCAL0.warn "when clent handshake , two way cert founded and the cert count is [SSL::cert count] "
    HTTP::release
  }
  log "Session flag is $session_flag"
}
when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/manual/" } {
    log "Requiring certificate...and tht request uri is :[HTTP::uri]"
    if {[SSL::cert count] == 0} {
        log local0. "when http request,ssl cert count is 0,now http collect"
HTTP::collect
    SSL::authenticate always
    SSL::authenticate depth 9
    SSL::cert mode require
    log local0. "when http request,now renegotiating"
    set session_flag 1
         SSL::renegotiate
    }
  }
  else {
    
    log LOCAL0.warn "No cert needed,to server directly.And the uri is [HTTP::uri]"
  }
  log "Session_flag at end of http_request is $session_flag"
}

with this rule, I can change the authenticate mode from ignore to require depends on the URI customer requie. But it can only running on BIGIP 9.1.2 and can't running on BIGIP 9.4.0 beta one build 211. BIGIP 9.4 seems can't caputure the client cert after renegotiate.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)