For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Goran_Blomquis1's avatar
Goran_Blomquis1
Icon for Nimbostratus rankNimbostratus
Mar 26, 2009

Set ssl to require and pass cert when uri /manual

Hi devcentral     I try to write a I-rule that change ignore to require in SSLclient profile. I think Iḿ on the right track, but backend seems to be very slow and ask for cert all the time....
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Oct 15, 2009
That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.

This codeshare example shows how to validate the client cert and store valid cert details in the session table:

http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate: 

 
           Force renegotiation of the SSL connection with a cert requested 
          SSL::session invalidate 
          SSL::authenticate always 
          SSL::authenticate depth 9 
          SSL::cert mode require 
          SSL::renegotiate

And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.

Aaron