Modify SSL Sign Hash in SSL client profile or change SSL client profile before renegociate.

Question

Hi&nbsp;
I have a VS with a SSL Client Profile. This SSL client profile is configured with a SSL Sign Hash value at "SHA1" and client authentication.&nbsp;
If the SSL negotiation results in no certificate being sent from the client, I want to renegotiate with the SSL Sign Hash value at SHA256 (only SHA256 and SHA1 can be used that's why I don't use the value ANY).&nbsp;
I see 2 different solutions : &nbsp;
1) Modify the SSL Sign Hash value in the SSL client profile and use the renegociate command (SSL::renegociate).&nbsp;
2) Change the SSL client profile (SSL::profile) and renegociate (SS::renegociate)&nbsp;
My problems are for each solution:&nbsp;
1)I didn't found the Irule command to modify the SSL SignHash in a SSL client profile&nbsp;
2)The only event where I can use the SSL::profile command is CLIENT_ACCEPTED which is not triggered after the SSL::renegociate command.&nbsp;
If anyone have a solution...&nbsp;
Thank you.&nbsp;
Fred&nbsp;

daniel_varela · Answer

I think you should be able to use SSL::profile out of the client_accepted event. I assume you check for the certificate in clientssl_clientcert, if there is no client cert then change the SSL::profile there, flags it with a variable and on the HTTP_REQUEST event use the SSL::renegotiate. That should force the renegotiation using the second SSL profile.

Forum Discussion

Modify SSL Sign Hash in SSL client profile or change SSL client profile before renegociate.

Recent Discussions

AS3 Limitations

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

F5 BIG-IP Advanced WAF – DOS profile configuration options.

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

Update your DevCentral user profile

DoS Profiles

SSL Profiles

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS