Forum Discussion
NimbostratusRe-execute iRule to read CN value of client cert, but after you know URI.
NimbostratusThanks I will try that tomorrow and let you know.
I think I may need to add the following to get an alternative client profile to ask for the client cert though. Is that right?
.......
# Redirect to a special URI that will prompt for a client certificate
HTTP::redirect "/require-cert$httpUri"
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
set cmd "SSL::profile /Common/ClientSSL-RequireCert-Profile"
SSL::renegotiate
return
........
- SebScott
Hi.
I did try this method, but got hit with a few little snags that I think are telling me I can't run these HTTP commands in the CLIENTSSL_CLIENTCERT event. Although the last line suggests I have not got the syntax right for the variable, which I could fix it is the first 3 lines that suggest I can't make this work because they need to be in the HTTP_REQUEST event, is that correct?
I am going to try and fire off a subroutine(Proc) to re-initiate the the ssl negotiation against different client SSL profile and then execute another Irule to trigger the CLIENT_SSL event and subsequent HHTP_REQUEST event which all seems very complicated so open to other simpler suggestions like this previous one from susan789wolf that showed real promise in the simpler logic
[command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::redirect $original_uri] /Common/API-CNCheck-New-v2:53: error: [command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::uri] /Common/API-CNCheck-New-v2:51: error: [command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::uri] /Common/API-CNCheck-New-v2:3: error: [wrong # args][set static::client_cert_required "/BlahBlah" "/YadaYada/*"]
