Forum Discussion
hoolio
Cirrostratus
CirrostratusDetails for new client cert functionality in v10.1?
Hi,
The 10.1 release notes contain this gem:
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_10_1_0_ltm.html
Behavior changes in version 10.1.0
SSL::cert iRule commands (CR116806)
The following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:
SSL::cert GET_PEER_CERT
SSL::cert issuer GET_PEERCERTISSUER
SSL::cert count GET_PEER_CERTCOUNT
It looks like this functionality will eliminate the need to store the client cert (or cert details) in the session table. It should make client cert based iRules much simpler.
Per the 10.1 release notes, it looks like the SSL session cache was also made CMP capable in 10.1. Are there any other related changes?
Is using this new functionality as simple as "take a working pre-10.1 client cert iRule, remove any 'session add' commands, and change any session lookups to the actual SSL::cert commands"?
Thanks,
Aaron
- I don't recall seeing this before, but it could be a very welcome addition, you are correct. I'll see if I can dig up any info in my Copious Free Time.
hoolioWhen you have time, that would be very helpful. I'll try testing it as well.
Thanks,
Aaron
