Forum Discussion
Pass Client Cert to a Specific URI
I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI?
/mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore
I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile.
Thanks
- Kevin_StewartEmployeeWhen you say that the URL requires a client cert, is it requiring it in the SSL stream, or can it receive the value by some other means (ie. HTTP header)?
- Justin1Nimbostratus
I have been trying to do the same recently. I managed to create a VIP for the appstore port and havent had an issue. As this is a message from some time ago it is unlikely you are still looking to solve this.
I do however have an issue getting the 443 port to allow enrolments and also client auth to work. Client cert auth works for existing devices but I can't enrol a new device. I tried setting the client auth to ignore to allow enrolment but then breaks as the plicy can't download as it seems it then needs client cert auth.
I tried an irule to do ssl::renegotiate but that seems to go through the iRule and then back to CLIENT_CLIENTCERT and then stops so I can't then re-process my rule to do logging and other URI blocking to the public.
Want to do this without APM if possible but it looks to not be possible.
Note: Also seems ssl::renegotiate isn't compatible with TLSv1.3 either
If anyone has an iRule that works I would be very interested
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com