Forum Discussion

Rodolphe_AUBINE's avatar
Rodolphe_AUBINE
Icon for Nimbostratus rankNimbostratus
Sep 18, 2013

How to bypass default two way SSL authentification on a specific URI pattern on a same virtual server, ie. same client ssl profile

I have one virtual server which use a client SSL profile which require two way SSL authentification. By default, a client certificate X509 is required for any URI requested.

 

I'am looking for a way (with IRule) to bypass client authentication (by stay in one way SSL server authentification) for some specific URIs.

 

Who xan help me ?

 

LTM/ASM v11.2

 

  • This is a common question. As SSL/TLS operations occur before any HTTP is passed this is not possible.

     

  • Ultimately you'd want to switch the client SSL profile, or make a setting change based on the URI evaluation, but as Steve states, SSL negotiation happens before HTTP, so it's not really possible. There are alternatives though.

     

    1. You can use SSL:: commands in an iRule to trigger a renegotiation and cert request based on request criteria. There's no way to alter the original SSL handshake, but you can cause a renegotiation and change the authentication settings there. The wiki page for SSL::authenticate actually has a good example:

    https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx

     

    1. The Access Policy Manager (APM) module can perform this SSL renegotiation and client certificate request very easily without iRules. APM evaluates authentication at the beginning of the session, so in your case, because you might have users pass from a non-authenticated to an authenticated URI during the session, you'd still need an iRule to trigger access policy renegotiation.