Forum Discussion
I've tried changing the client ca-file to only have the base certs for tuv.com and xyz.com and not their respective CA certs. This prevents curl access even if you're using the certs for tuv.com and xyz.com.
I'm having a really hard time find documentation for the expected behavior for 2-way SSL. If anyone knows a good source I'd appreciate it.
Besides that, I'd like to know the official purposes of the ca-file and the client ca-file fields in the clientssl profile.
For 2-way, my understanding is that they're act as a whitelist for what client certs can and cannot access the vip. But this seems to not be the case as my post above seems to show. This is either a massive bug, or the intended behavior, and I'm somehow leaning on the latter.
If this is not a way to only allow certain sites to access your vip, what would be the best way to do so?
- Eric_ChenAug 30, 2019Employee
The following has a good summary: https://support.f5.com/csp/article/K14783#4
If you want to only allow specific client certificates this is easy to do with Access Policy Manager to query for specific attributes (I.e. CN=123).
otherwise it is possible to do with an iRule. The following non-F5 site has an iRule that appears to do something similar to what you are trying to achieve.
https://developers.docusign.com/esign-rest-api/guides/mutual-tls-f5