Selective client cert authentication based on URI

Hi,

I’m looking for a way to use different advertised certificate authorities and trusted certificate authorities based on the URI.

I read a lot of articles here on DevCentral and learned that it should be able to fulfill this request. Unfortunately, it isn’t working here.

That’s my iRule:

when CLIENTSSL_CLIENTCERT {
  HTTP::release
  if { [SSL::cert count] < 1 } {
    reject
    }
}

when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::uri]] {
    "/uri1*" {
        if { [SSL::cert count] <= 0 } {
            HTTP::collect
            SSL::session invalidate
            set cmd "SSL::profile /partition1/cssl_profile_uri1"
            eval $cmd
            SSL::renegotiate
            event disable all --> tried with or without. Both not working
        }
    }
    "/uri2*" {
        if { [SSL::cert count] <= 0 } {
            HTTP::collect
            SSL::session invalidate
            set cmd "SSL::profile /partition1/cssl_profile_uri2"
            eval $cmd
            SSL::renegotiate
            event disable all
        }
    }
    }
}

when HTTP_REQUEST_SEND {
  clientside {
    if { [SSL::cert count] > 0 } {
set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"] 
        set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert] 
        HTTP::header insert "SSL_CLIENT_CERT" $certnospace
    }
  }
}

The cssl_profile_uri2 are child profiles of cssl_profile. cssl_profile contains only cert/key/chain and cipher configurations. The child profiles simply contains the configuration for Client certificate require, frequency always and of course the specific trusted and advertised certificate authorities. The other options are not modified.

Nevertheless it’s not working as expected. Does anybody have an idea for this?

Is the full path needed for SSL::profile command? Of course I tried both, with and without. Both weren't working.

Best regards