Forum Discussion
Ryan_Rowe_79249
Nimbostratus
NimbostratusIp Restrict then client cert check
BigIP 8.3.3 and 8.4.1 (hopefully there is no difference)
So here is what I want to do. If an IP is in a datagroup then passthrough but if not then authenticate with an SSL cert.
I t...
Ryan_Rowe_79249Nimbostratus
NimbostratusI opened a ticket with F5 about the SSL profile and they said that they need to switch the client authorization from require to request and that made it work. They said this Try changing the "peer cert mode require" to "peer cert mode request"
The require option (I have been told) does not function correctly and will break client auth in a lot of circumstances.
The request mode still requires the client to auth.
But here is the output of the command
b profile clientssl BrowserCert list
profile clientssl BrowserCert {
defaults from clientssl
key "Encrypt-Cert.key"
cert "Encrypt-Cert.crt"
ca file "Encrypt-CA.crt"
peer cert mode require
authenticate once
}
b profile clientssl NoBrowserCert list
profile clientssl NoBrowserCert {
defaults from clientssl
key "Encrypt-Cert.key"
cert "Encrypt-Cert.crt"
chain "Encrypt-CA.crt"
}
b profile clientssl clientssl list
profile clientssl clientssl {
mode enable
key "default.key"
cert "default.crt"
chain none
ca file none
crl file none
client cert ca none
ciphers "DEFAULT"
modssl methods disable
cache size 20000
cache timeout 3600
renegotiate period indefinite
renegotiate size indefinite
renegotiate max record delay 10
handshake timeout 60
alert timeout 60
peer cert mode ignore
authenticate once
authenticate depth 9
unclean shutdown enable
strict resume disable
}
