Forum Discussion
NimbostratusIs it possible to create SNI profile enabling ondemand certificate authentication
NimbostratusTwo different things here
TLS SNI - This technology establishes a prodecudre for the Server (BigIP) to select the most appropriate Public SSL certificate to authenticate itself to the Client on a given Listener (Virual Server).
Certificate Authentication (SSL Mutual Authentication) - This option specifies if a Client must authenticate itself to the Server (BigIP).
Now to come to your question, "Is it possible to create SNI profile enabling ondemand certificate authentication?"
- I can confirm that TLS SNI and SSL-MA can co-exist together, but you probably already know that.
- What may be new to you is that such concept as
doesn't exist in the SSL Mutual Authentication standard. Your options for SSL-MA implementation come down toon-demand
orRequired
. Required method specifies that the SSL handshake will fail and the Client Request will not be processed, unless Client actually presents a correct certificate. In case of the second option, Client will be prompted to provide a certificate, but a failure to present a correct certificate will not result in a SSL handshake failure.Not Required
The second option (Not Required) may be better if you wish to issue a HTTP redirect to a customer-friendly page which states the reason for failure, and lists some useful information, such as the instructions to obtain a Client Auth certificate. I like it better than having my customers be confused about the odd-looking SSL error.
Regards,
Nimbostratus
