Forum Discussion
NimbostratusSelective Client SSL Profile
I am performing certificate based authentication for Android devices. The Client SSL profile is set to Ignore the Client Certificate and I have defined both the Trusted and Advertised CAs. The Access Policy performs an On Demand Authentication set to Request and everything is working perfect.
In order to roll out a new internal CA, I would like be be able to use a different Trusted and Advertised CA in the Client SSL profile but only when specifically requested. My thought was to create a new Client SSL profile using the new internal CA and then to switch profiles on the fly using SSL::profile. I would like to do this based on a specific URI - something to the effect of:
when CLIENT_ACCEPTED {
if { ([HTTP::uri] contains "/new-ca") } { SSL::profile /Common/new-ca_client-ssl-profile }
}
The problem with this is that HTTP::uri is not valid during a CLIENT_ACCEPTED event. I tried an iRule event in the Access Policy prior to the On Demand Auth however SSL:profile is not allowed at that time.
Is there another way to accomplish this? I would really like to change profiles based on URI if possible. Client IP is not really an option.
Thanks
APM 12.1.2
1 Reply
- boneyard
MVP
your problem is that you can't get that information until you have a SSL session and then you want to change the parameters of that session. that doesn't work easily.
this question gives some suggestions: https://devcentral.f5.com/questions/switch-off-client-auth-or-switch-ssl-profile-altogether-sslcert-mode-or-sslprofile-
the redirect one sounds nice.
if you search for switching SSL profile during session you probably will find another.
