For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gregory_Gerard_'s avatar
Gregory_Gerard_
Icon for Nimbostratus rankNimbostratus
Mar 06, 2012

Request arbitrary client certificate in iRule rather than by profile

I'm missing it if it's possible in the SSL:: stuff but here's what I'd like:     Server terminates SSL on 443       From the URL it can be known that a client certificate should be provi...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 06, 2012
Hi Gregory,

 

 

I'm not sure this is feasible as I think you need to tell the client which CA's certs you'll accept using the Advertised CA bundle option in the client SSL profile. I think if you don't send a CA for a client cert the client has, they won't get prompted for a cert and can't provide it. Have you tried testing this on a non-production virtual server or LTM unit?

 

 

For reference, here's a description of the SSL handshake process:

 

 

http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm

 

 

The serverHello message should contain "a list of...the Distinguished Names of acceptable Certification Authorities (CAs)":

 

 

 

The SSL server responds with a "server hello" message that contains the CipherSuite chosen by the server from the list provided by the SSL client, the session ID and another random byte string. The SSL server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a "client certificate request" that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).

 

 

 

Aaron