For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scot_86001's avatar
Scot_86001
Icon for Nimbostratus rankNimbostratus
Feb 21, 2010

iRule Optimization w/ Certificates?

The iRule below functions and performs as it should. I have been told that what I have below may not be efficient or optimized. I am looking to see if anyone can make some suggestions on how to bett...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 22, 2010
The issue with that approach is that you cannot send an HTTP response from the HTTP_REQUEST_SEND event. When I ran into that issue, F5 development created a hotfix to allow sending an HTTP response from the CLIENTSSL_HANDSHAKE event:

 

 

CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE (fix ncluded in 9.4.8HF3)

 

 

Also, you're resetting the connection in CLIENTSSL_CLIENTCERT if the client doesn't present a cert. To handle this more gracefully and send an HTTP response in that case, you need another fix included in 9.4.8HF3:

 

 

CR111646: Connections are no longer rejected when clients fail to send a certificate to a virtual server with a clientssl profile configured to "request" one.

 

 

Aaron