Forum Discussion
Marvin
Cirrocumulus
CirrocumulusRequest client cert auth based on URL
I am trying to request client cert authentication based on select URL and it works with a whitelist only but when i use the negate in the datagroup with a datagroup including URI string values it doe...
Try replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]
MarvinCirrocumulus
CirrocumulusSanjayP, it seems to be working fine with irule I posted no need to change, on the clientssl profile the Renegotiation checkbox is unchecked actually. I have included the advertised and trusted CA in clientssl profile and when the Irule performs the client cert authentication only these issuers certs are requested which is perfect.
As per F5 documentation Renegotiation:
Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default is enabled.
Should we enable this?
spalandeNacreous
yes as you would renegotiate for secure URLs in the middle of the session.
- Marvin
As we already perform renegotiate in the irule it is not required to enable renegotiate checkbox in the clientSSL profile right? Or is that still prerequisite?
SSL::renegotiate enable SSL::renegotiate
- Marvin
strange thing is that when searching the complete url it does not work like this
But it does work like this using URL encoded
www.testapp.com%2Fhome%2Flogin
Is the Datagroup and Irule not able to automatically decode the URL so we can use normal URL strings?