Forum Discussion
AltostratusSSL client Cert reuqest per URL
Hi I have LTM only how I can deploy client certificate request in specific URL if client go to the /example he doesn't need a certificate If he goes to /secure URL in the same VIP the client needs to provide a client certificate I think I need irule when HTTP request did SSL renegotiation with client cert required
youssef1Cumulonimbus
Hi Igor,
first of you have to configure your client cert like that:
Client Authentication:
- Client Certificate: request
- Frequency: once
- retain cert: yes
- Trust cert: your ca that sign user cert
- Advert cert: your ca that sign user cert
Then try this irule:
when HTTP_REQUEST { set cert_provided 0 if {[SSL::cert count] > 0}{ for {set i 0} {$i < [SSL::cert count]} {incr i}{ log local0. "uid: $uid - cert number: $i" log local0. "Issuer Info: [X509::issuer [SSL::cert $i]]" log local0. "cert serial: [X509::serial_number [SSL::cert $i]]" set cert_provided 1 if { [SSL::verify_result] != 0 } { log local0. "uid: $uid - Cert Error: [X509::verify_cert_error_string [SSL::verify_result]]" set cert_provided 0 } } } else { log local0. "uid: $uid - No client certificate provided" set cert_provided 0 } uri that need auth if {!($cert_provided)} { switch -glob [string tolower [HTTP::uri]] { "/uri1" { reject } "/uri2" { reject } "/uri3" { reject } default { do nothing } } } }- Kevin_Stewart
Employee
You can see a goo example here: https://devcentral.f5.com/wiki/iRules.SSL__renegotiate.ashx
But to be clear, you cannot change the attributes of an existing SSL session (OSI layer 6) based on HTTP information (layer 7). In other words, by the time you can see the HTTP URI, you've already processed the SSL. The above link shows an iRule method to force SSL renegotiation and to prompt for a cert (SSL::cert mode require). You can also more easily do this with "step-up authentication" in APM.
