Forum Discussion
Gregory_Gerard_
Nimbostratus
Mar 06, 2012Request arbitrary client certificate in iRule rather than by profile
I'm missing it if it's possible in the SSL:: stuff but here's what I'd like: Server terminates SSL on 443 From the URL it can be known that a client certificate should be provi...
hoolio
Cirrostratus
Mar 06, 2012Hi Gregory,
I'm not sure this is feasible as I think you need to tell the client which CA's certs you'll accept using the Advertised CA bundle option in the client SSL profile. I think if you don't send a CA for a client cert the client has, they won't get prompted for a cert and can't provide it. Have you tried testing this on a non-production virtual server or LTM unit?
For reference, here's a description of the SSL handshake process:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm
The serverHello message should contain "a list of...the Distinguished Names of acceptable Certification Authorities (CAs)":
The SSL server responds with a "server hello" message that contains the CipherSuite chosen by the server from the list provided by the SSL client, the session ID and another random byte string. The SSL server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a "client certificate request" that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).
Aaron
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects