For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 12, 2022
Solved

Request client cert auth based on URL

I am trying to request client cert authentication based on select URL and it works with a whitelist only but when i use the negate in the datagroup with a datagroup including URI string values it doe...
application delivery
cert auth
irule
  • spalande's avatar
    spalande
    Apr 20, 2022

    Try  replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 26, 2022

SanjayP, it seems to be working fine with irule I posted no need to change, on the clientssl profile the Renegotiation checkbox is unchecked actually. I have included the advertised and trusted CA in clientssl profile and when the Irule performs the client cert authentication only these issuers certs are requested which is perfect.

As per F5 documentation Renegotiation:

Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default is enabled.

Should we enable this?

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Apr 26, 2022

yes as you would renegotiate for secure URLs in the middle of the session.