Forum Discussion
NimbostratusSelective SSL client authentication with custom ca-bundle
I'm trying to setup a selective SSL client authentication for certain HTTP URIs using custom SSL profiles. The reason for custom profiles is because I couldn't find a way to specify a custom ca-bundle for trusted CAs, instead of using F5 default CA bundle.
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/pki" } { SSL:profile test-pki.client-ssl } else { SSL::profile test.client-ssl } }
But it seems that SSL:: profile can only be used during CLIENT_ACCEPTED event and which doesn't support [HTTP::uri]. I also tried disabling SSL client auth but it's still prompting for client certificates.
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/pki" } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiate
}else { SSL::cert mode ignore } }
So how can I enable selective SSL auth and still use custom CA ca-bundle key store?
3 Replies
Amit_Grover_171Hi GK,
Are you trying to use SSL client profile or SSL server profile because SSL client profile will share its(representing server) certificate to client and then client will match its CA in its CA bundle and then do authentication.
But if you are using SSL server profile, F5 will act as client and ask for server certificate and perform authentication by looking into its inbuilt CA-Bundle.
/Regards Amit Grover
_NAME_8I am a custom SSL Client (clientssl) profile.
Amine_KadimiMVP
But it seems that SSL:: profile can only be used during CLIENT_ACCEPTED event and which doesn't support [HTTP::uri].
By design, I think that this is the logic behavior since HTTP::uri is called by the GET/POST requests, and could only succeed after the SSL handshake.
Can you elaborate a little bit more on your need?
