irule that presents certificate doesn´ t run in TLSv1.3

Hi rnavarro​ 

TLS 1.3 has removed support for renegotiation. The SSL::renegotiate iRule command, which is used to request a client certificate after the initial handshake (for example, based on a specific URI), is not supported in TLS 1.3. When a client connects using TLS 1.3 and your iRule tries to invoke SSL::renegotiate, the connection will fail—typically with a handshake error or silent failure. This is exactly what you are seeing with recent versions of Chrome and Edge, which now default to TLS 1.3 and support post-quantum key exchange (ML-KEM/Kyber) ciphers.

References:

• K000130283: On-Demand Cert Auth not working on Windows 11 or any TLS Client that uses TLS 1.3
• K52170084: BIG-IP does not support TLS 1.3 Post-Handshake Authentication

If you require on-demand client certificate authentication (i.e., requesting a certificate after the handshake based on URI or other conditions), you must disable TLS 1.3 in your Client SSL profile. This will force clients to use TLS 1.2, where renegotiation is still supported.

Rewrite the iRule to Avoid Renegotiation for TLS 1.3 Connections

when HTTP_REQUEST {

  if { [SSL::cipher version] == "TLSv1.2" } {

    # Safe to use SSL::renegotiate

    SSL::cert mode request

    SSL::renegotiate

  } else {

    # TLS 1.3 or higher: do not attempt renegotiation

    # Optionally, log or handle differently

  }

}