Forum Discussion
Selective mutual authentication by HTTP::Host
- Apr 28, 2021
You can create new clientSSL profile with SNI option selected with server name added for the domain who needs mTLS and keep wildcard as default for SNI. So VIP would have 2 clientssl profiles (1 existing wildcard + new sni clientssl profile)
In the new, clientssl profile, you can select the mTLS option require and CA of the client certificate to validate it.
You can also add any custom iRule if needed to validate subjectDN of client cert or sending the cert details to the backend (this is optional as per requirement)
SSL::verify_result is used to set the error code after verifiying the client certificate.
[X509::verify_cert_error_string [SSL::verify_result]] is used to provide the actual error message if client certificate is invalid.
In order to validate and check client certificate is issued by trusted CA, you would need to use clientssl profile settings. Import the intermediate (Issuer CA) certificate of client certificate in F5. If there are multiple different CA certs, you can import as bundle. And then select that in trusted certificate authorities under client authentication settings of clientssl profile.
There is also another way, to verify the CA chain of client certificate in iRule using [X509::issuer [SSL::cert 0]] which will parse the CA certificate, but advisable way is to use clientssl profile setting.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com