Forum Discussion

Ian_38374's avatar
Ian_38374
Icon for Nimbostratus rankNimbostratus
Sep 05, 2012

Pass Client Cert to a Specific URI

I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI?

 

/mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore

 

I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile.

 

Thanks

 

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 06, 2012
    When you say that the URL requires a client cert, is it requiring it in the SSL stream, or can it receive the value by some other means (ie. HTTP header)?

     

     

    You can't pass the client certificate in the SSL stream unless you do something like ProxySSL, which wouldn't work "mid-session".
  • Justin1's avatar
    Justin1
    Icon for Nimbostratus rankNimbostratus
    Aug 25, 2023

    I have been trying to do the same recently. I managed to create a VIP for the appstore port and havent had an issue. As this is a message from some time ago it is unlikely you are still looking to solve this.

    I do however have an issue getting the 443 port to allow enrolments and also client auth to work. Client cert auth works for existing devices but I can't enrol a new device. I tried setting the client auth to ignore to allow enrolment but then breaks as the plicy can't download as it seems it then needs client cert auth.

    I tried an irule to do ssl::renegotiate but that seems to go through the iRule and then back to CLIENT_CLIENTCERT and then stops so I can't then re-process my rule to do logging and other URI blocking to the public.

    Want to do this without APM if possible but it looks to not be possible.

    Note: Also seems ssl::renegotiate isn't compatible with TLSv1.3 either

    If anyone has an iRule that works I would be very interested