For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 12, 2022
Solved

Request client cert auth based on URL

I am trying to request client cert authentication based on select URL and it works with a whitelist only but when i use the negate in the datagroup with a datagroup including URI string values it doe...
application delivery
cert auth
irule
  • spalande's avatar
    spalande
    Apr 20, 2022

    Try  replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Apr 13, 2022

Hello Marvin.

Personally, I didn't notice any problem with using negate expressions with data-groups. Maybe with this expression:

 

if { ! ([class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH]) }{

 

 

In the other hand, 

Marvin wrote:

Another side question is that we would like to perform the SSL::renegotiate and request a specific client cert from a certain CA issuer, how could we accomplish that?

You can use "Advertised Certificate Authorities" to select the specific CA issuer.
REFhttps://support.f5.com/csp/article/K14783