OCSP w/ requested client certifications.

Question

When configuring a virtual server client certificates can be ignored, requested, or required. &nbsp;
&nbsp;Is there a way to determine what how a particular VS is configured to handle client certificates?&nbsp;
&nbsp;When an authorization profile is used that utilizes OCSP, a client certificate needs to be present. The default iRule handles things just fine if the certificate is required, but balks when a certificate isn't presented.&nbsp;
&nbsp;I was looking at PROFILE::clientssl  but the syntax of the command isn't explained on the wiki at all. I know there's a mode setting (that returns 0 for SSL, 1 for non-SSL), but other than that I haven't found any reference to other parameters.

colin_walker_12 · Answer

Here's a great example in the codeshare that you may want to take a look at: Click here.
It's a little advanced, but it does some things that you'll want to look through, like:
} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{
       Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
      set vip_http_port 1
      if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
       Check to see if there is a client SSL profile and if so, disable it
      if { [PROFILE::exists clientssl] == 1} {
         if {$::debug}{log local0. "Client SSL profile enabled on VIP.  Disabling SSL"}
         set disable_cmd "SSL::disable"
         eval $disable_cmd
      } 
   }
This still doesn't solve the issue of determining when you want the profile enabled/disabled, but at least it shows you how to turn it on/off.
Colin

alex_moundalexi · Answer

This still doesn't solve the issue of determining when you want the profile enabled/disabled, but at least it shows you how to turn it on/off.&nbsp;&nbsp;
&nbsp;That's the thing, all of the VS are using SSL profiles. The only difference is what options are configured within the profile. I need to be able to determine whether client certificates are required or requested or ignored, somehow passing that information back to an iRule to make a decision.&nbsp;&nbsp;

colin_walker_12 · Answer

And what piece of data in the client request would you use to make that determination? If you can't determine which profile to use before connecting to the server, then you have to use a default profile to connect, at which point it's too late to force a require or ignore.&nbsp;
&nbsp;Colin

alex_moundalexi · Answer

And what piece of data in the client request would you use to make that determination? If you can't determine which profile to use before connecting to the server, then you have to use a default profile to connect, at which point it's too late to force a require or ignore.&nbsp;Nothing in the client request. I'm not looking to change the way that the SSL session is handled, but the OCSP authentication needs to be conditional depending on whether client certificates are present or not.&nbsp;
&nbsp;I was hoping for a system-provided variable, similar to how you can write iRules based on the number of available nodes in a pool.&nbsp;&nbsp;

Forum Discussion

OCSP w/ requested client certifications.

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Using Client Subnet in DNS Requests

Request Client Certificate And Pass To Application

HTTPS Routing based on Client Certificates values with F5 Distributed Cloud

Thumbprint of the client ssl certificate

BIG-IQ Client Certificate (PKI) Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS