For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Austin_Geraci's avatar
Austin_Geraci
Icon for MVP rankMVP
Jan 11, 2010

HTTPS - direct based on URI - not terminating SSL

I need to direct traffic to a particular pool based on uri contents. I'm NOT terminating SSL.     1-Can I do this without terminating SSL     2-do I need the else statment or wil...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 12, 2010
LTM can validate client certs against a root cert you configure in the client SSL profile. If you want to handle failures with something other than a TCP close/reset, you'll need to use an iRule.

 

 

If you have the advanced client auth module licensed, you can validate the client cert against a root CA cert and check the cert status using LDAP, OCSP, CRLDP server (or a few other types).

 

 

However, there is no way for LTM to proxy the actual client cert for the serverside SSL handshake as LTM doesn't have the client cert private key. You can have LTM insert the cert or cert details on the HTTP request headers sent to the servers. But the app would need to be changed to parse the cert or cert details from the HTTP headers.

 

 

There are a few related examples in the iRule codeshare:

 

 

http://devcentral.f5.com/Wiki/default.aspx/iRules.CodeShare

 

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/ClientCertificateCNChecking.html

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/RequestClientCertificateAndPassToApplication.html

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/Validate_certificate_Common_Name_and_revocation.html

 

 

Aaron