For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
Nov 20, 2006

if no cert rule

Hello,     We've created the following irule for checking the cert   If the cert is present everything works ok   But if the client has no cert the rule http redirect does not work   ...
application delivery
dev
devops
iRules
Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
Nov 20, 2006
I've changed the ssl profile:

 

changed client certificate from require to request

 

in this situation it looks ok

 

 

thanks

 

 

http://devcentral.f5.com/Default.aspxtabid=28&view=topic&forumid=5&postid=3561

 

 

Just to point out for everybody else though - the problem here is that you can't inspect the URI until after the SSL handshake has completed. If you have the cert mode set to require, then the handshake is not going to successfully complete without it, therefore you won't be able to inspect the URI to determine if it isn't needed.

 

 

However, when the cert mode is set to request, then the handshake merely requests the certificate. If it is not present, the connection is still allowed and the rule can then inspect the URI and determine if one is required. At that point, you could simply check if a certificate was present and reject the connection if one was required but not presented.

 

 

The only way to not request a certificate initially is to set the cert mode to none and then after inspecting the URI, upgrade the cert mode and force a renegotiation. Obviously, not the optimal way to do things if you have only two pages that don't require a certificate

 

 

Thanks

 

 

Dirk