Forum Discussion
NimbostratusFiltering based on client certificate
Hello,
I want to make F5 filter user requests based on client certificate so that requests that do not have certificate are not passed to web server. Also, F5 shouldn't authenticate the user. How can this be done?
jakru_162096Hello,
take a look on client ssl profile. You have whole section there called "Client Authentication" where you define parameters used to determine if client with certain certificate should be allowed or not.
More details here: https://support.f5.com/csp/article/K14783
Zaklina_377109If I use SSL proxy function and certificate doesnt match or I receive connections without certificate, who will drop request, BIGIP or server? I need BIGIP drop that connections. Maybe there is some other options so that BIGIP can drop such request?
- Kevin_Stewart
Employee
By "SSL proxy", do you mean "Proxy SSL"? If so, in this function the BIG-IP has no control over the TLS handshake. You can see the TLS handshake, but you'd have to use TCP binary iRules to inspect it.
It's probably also worth noting that Proxy SSL, like any other product that does passive SSL inspection, cannot work with perfect forward secret (DHE) ciphers.
- jakru_162096
Zaklina,
if you need bigip to drop the request you need to actually have that proxy ssl function disabled (this is default). That way your f5 tries to negotiate ssl handshake and if the client does not provide proper certificate it will fail.
