Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

ronsengupta's avatar
ronsengupta
Icon for Nimbostratus rankNimbostratus
Apr 19, 2023

iRule for checking Client TLS cert during TLS Handshake (TLS 1.3)

Hi All, Version- TLS Ver- 1.3 and F5 LTM Is it possible to create an iRule to drop a TCP session if the Client doesn’t provide an acceptable Client Certificate as part of a TLS handshake ?  
devops
security
ronsengupta's avatar
ronsengupta
Icon for Nimbostratus rankNimbostratus
Apr 22, 2023

Thanks for  the response, this needs to be without the F5 doing TLS termination. The 2 way auth need to be directly between the client and server where F5 LTM will act as TCP pass through, however should be able to check that client using a cert without TLS termination.I was thinking about checking the TLS handshake, as TLS handshake happens before the encrypted message exchange, however TLS handshake does not have client cert it only has cipher suites information. 

Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP
Apr 22, 2023

I don't think you will be able to get the F5 to check the client certificate without applying a client SSL profile (with client authentication enabled) to the virtual server.

The solution proposed by AlexBCT would work if you were able to terminate SSL on the F5 (as I believe the CLIENTSSL_CLIENTCERT iRule event requires a client SSL profile)