Forum Discussion
Ron_Adams_11068
Nimbostratus
NimbostratusSelect among clientssl profiles
Need help with 9.2 iRule syntax to select a clientssl profile other than the default assigned to the virtual server?
A previous post returned this statement:
"Unfortunately, you're going to need to wait until 9.2 where an iRule can select among clientssl profiles."
If you have sample syntax, I'd appreciate it.
11 Replies
- Ron,
I'd check this posting for an answer to your questions. Another user had the same question and was able to find some helpful information:
Click here
-Colin 
laurent_marion2Hi,
i follow all posts and not find the good answer.
Is it possible to change the ssl client profile by another inside Irule?
Thanks- Use the following command to switch between SSL profiles:
SSL::profile
Note: If you are doing this to select among client certificates, you'll need to do it before the SSL negotiation occurs (or you'll need to have SSL renegotiate). A common application would be to have a generic SSL profile with no certificate required, then after receiving the initial uri, switch SSL profiles and force an SSL::renegotiate to test for the required certificate. Either that or determine the SSL profile based on L4 information. 
Lance_King_5508Colin,
Thanks for adding the code. I'm new to this, really helps.
I do have a problem though, when I try to save my rule, I get this message:
01070151:3: Rule [set_ssl] error:
line 3: [command is not valid in current event context (HTTP_REQUEST)] [SSL::profile
Is this supported for all versions? I'm running 9.1.
Thanks
Lance- After a little more research, it looks as though the SSL::profile command is only valid under two events:
CLIENT_ACCEPTED and SERVER_CONNECTED
Try using it under one of those two events and see if you don't get better results.
-Colin 
Ron_Adams_11068The sample code provided on DevCentral at http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__profile.html shows the following:
when HTTP_REQUEST {
if { [HTTP::host] eq "host1" } {
SSL::profile host1_profile
} else {
SSL::profile ssl_profile2
}
SSL::renegotiate
}
This is close to what I need to accomplish, yet this results in an error:
[command is not valid in current event context (HTTP_REQUEST)] [SSL::profile host1_profile]
So event context seems to be the major stumbling block. I can't do SSL commands with when HTTP_REQUEST and I can't accesst [HTTP::host] or use SSL:renegotiate with when CLIENT_ACCEPTED.
Is there a valid example of using the SSL::profile command to switch profiles based on host name?- Looks like we need to update that sample code. To be able to look at the hostname which is part of the HTTP payload, the content must be decrypted. To be decrypted it must use it's clientssl profile. This happens after the ssl negotiation occurs.
It's discussed in this thread:
http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=3071
Click here
rapmaster_c alludes to a way to get around this by using two virtuals (one http the other https) but this may or may not work in your situation.
Currently the SSL::profile command is only available in the CLIENT_ACCEPTED and SERVER_CONNECTED events where you don't have access to the layer 7 content.
-Joe - Ron_Adams_11068rapmaster_c is referring to use of a "session entry" as a possible direction. Could you explain this "session entry" further or point me to some docs?
Henrik_GyllkranI could use some information about this as well, since this could solve a problem I'm facing. Any examples on how to do what rapmaster_c describes would be great. The application works like that any way, first the client starts with http to later be redirected to https, so that part of the solution is already in place.
