Forum Discussion

Alex_Moundalexi's avatar
Alex_Moundalexi
Icon for Nimbostratus rankNimbostratus
Mar 14, 2008

OCSP w/ requested client certifications.

When configuring a virtual server client certificates can be ignored, requested, or required.     Is there a way to determine what how a particular VS is configured to handle client certificate...
application delivery
dev
devops
iRules
Colin_Walker_12's avatar
Colin_Walker_12
Historic F5 Account
Mar 19, 2008
Here's a great example in the codeshare that you may want to take a look at: Click here.

It's a little advanced, but it does some things that you'll want to look through, like:


} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{
       Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
      set vip_http_port 1
      if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
       Check to see if there is a client SSL profile and if so, disable it
      if { [PROFILE::exists clientssl] == 1} {
         if {$::debug}{log local0. "Client SSL profile enabled on VIP.  Disabling SSL"}
         set disable_cmd "SSL::disable"
         eval $disable_cmd
      } 
   }

This still doesn't solve the issue of determining when you want the profile enabled/disabled, but at least it shows you how to turn it on/off.

Colin