For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

xin_li_90490's avatar
xin_li_90490
Icon for Nimbostratus rankNimbostratus
May 24, 2017

you can refer to this.

when CLIENT_ACCEPTED { 
set collected 0 
set protected 0 
} 
when HTTP_REQUEST { 
if { [HTTP::uri] contains "/2" } { 
    set protected 1 
    log local0. "Protected URI requested: [HTTP::uri]" 
    set collected 1 
    HTTP::collect 
    SSL::authenticate once 
    SSL::authenticate depth 9 
    SSL::cert mode request 
    SSL::renegotiate 
    } 
} 
when CLIENTSSL_CLIENTCERT { 
if { $collected eq 1 } { 
    log local0. "HTTP release" 
    HTTP::release } 
    if { $protected eq 1 } { 
        if { [SSL::cert count] < 1 } { 
            log local0. "No Certificate Provided for Protected URI" 
            } 
            else {
            log local0. "Protected URI is accessed with client cert"
        }
    } 
}
when HTTP_REQUEST_SEND {
clientside {
    if { $protected eq 1 } {
        if { [SSL::cert count] > 0} {
            HTTP::header insert X-Client-Cert [b64encode [X509::whole [SSL::cert 0]]]
    log local0. "cert=[X509::whole [SSL::cert 0]]"
        } else {
           HTTP::uri "/certError.html"
        }
    }
}
}

with a default configuration in client authentication area in client ssl profile, and using your default pool.