JOn2
Apr 25, 2024Nimbostratus
LDAPS and renegotiation
Hello, hope everyone is well!
we have a requirement to present 2 different issuer/signed certificates based on the incoming client IP. I am pretty sure from an HTTP perspective I would do something like this
when CLIENT_ACCEPTED {
if {([class match [IP::client_addr] eq signer_list_of_client_A_IPs]) } {
SSL::profile cert_with_issuer_type_A
} else {
SSL::profile cert_with_issuer_type_B
}
}
when HTTP_REQUEST {
SSL::renegotiate
}
Question I have is whether this would work for LDAPS clients and how (if needed at all) the renegotiation step would be achieved, given that the HTTP_REQUEST will not be available.
Many thanks
Jon