For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

IvanKusturic's avatar
IvanKusturic
Icon for Nimbostratus rankNimbostratus
Oct 15, 2020

iRules for SSL certificates

Hi everybody,   We have a client who is hosting three FQDN's on same web server. In order to deliver correct SSL certificates based on the server name, we have configured SNI, with three different ...
ASM Advanced WAF
Default
iRules
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 01, 2020

You need to use SSL::renegotiate and something like

when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] > 0 } {
    if { $http_collected eq 1 } {
      HTTP::release
      set http_collected 0
    }
  }
} 
when HTTP_REQUEST {
  if { ([HTTP::host] eq "siteB.com") && ([HTTP::uri] starts_with "/admin/") } {
    if {[SSL::cert count] == 0} {
      set http_collected 1
      HTTP::collect
      SSL::session invalidate
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      SSL::renegotiate enable
      SSL::renegotiate
    }
  }
}

Note: this is a modified example from the SSL::renegotiate page, and has not been tested, so YMMV