LDAPS and renegotiation

Question

Hello, hope everyone is well!we have a requirement to present 2 different issuer/signed certificates based on the incoming client IP. I am pretty sure from an HTTP perspective I would do something like this&nbsp;when CLIENT_ACCEPTED {&nbsp; &nbsp;if {([class match [IP::client_addr] eq signer_list_of_client_A_IPs]) } { &nbsp;&nbsp; &nbsp; &nbsp; SSL::profile cert_with_issuer_type_A&nbsp; &nbsp;} else {&nbsp; &nbsp; &nbsp; SSL::profile cert_with_issuer_type_B&nbsp; &nbsp;}}when HTTP_REQUEST {&nbsp; &nbsp;SSL::renegotiate&nbsp;}Question I have is whether this would work for LDAPS clients and how (if needed at all) the renegotiation step would be achieved, given that the HTTP_REQUEST will not be available.Many thanksJon

spalande · Answer

Have you tried using renegotiation option from the clientssl profile?&nbsp;

jon2 · Answer

Thanks Sanjay, good suggestion, I will try that out and report back!

Forum Discussion

LDAPS and renegotiation

2 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Requirement for BIG-IQ VM Deployment in AWS

Can't change sync type or failover after tenant upgrade.

Cannot ping external interface

How can k8s CIS CRD VirtualServer reference existing APM Access profile?

F5 asm/awaf

Related Content

SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark

SSL Profiles Part 6: SSL Renegotiation

SSL renegotiation DOS mitigation

Re: SSL Renegotiation DOS attack – an iRule Countermeasure

LDAP Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS