F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Snl's avatar
Snl
Icon for Cirrostratus rankCirrostratus
Apr 02, 2018

redirect the pool based on certname

Folks   Can someone guide me the procedure for configure multiple certificate name to redirect to specific pools without doing any ssl offloading on the F5 VS   I want to redirect the traffic b...
application delivery
iRules
LTM
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Apr 03, 2018

Hi,

Do you expect that the load balancing decision is done based on client certificate?

TLS protocol is simple:

Client                                               Server

      ClientHello                  -------->
                                                      ServerHello
                                                     Certificate*
                                               ServerKeyExchange*
                                              CertificateRequest*
                                   <--------      ServerHelloDone
      Certificate*
      ClientKeyExchange
      CertificateVerify*
      [ChangeCipherSpec]
      Finished                     -------->
                                               [ChangeCipherSpec]
                                   <--------             Finished
      Application Data             <------->     Application Data

As you can see, the client doesn't send it's certificate until the server doesn't request it. If you don't want SSL offloading, the load balancing method must be done just after the client sent the first packet, but the client certificate is sent in the 2nd client packet.