For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Miguel_61449's avatar
Miguel_61449
Icon for Nimbostratus rankNimbostratus
Jan 24, 2011

SSL Client Profile based on the URL

Hello group,     I am working with the following iRule, the goal I pursue is the following, the iRule must make the client certificate authentication done via the SSL Client Profile A or B based...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 24, 2011
Hi Miguel,

You might be able to just add both CA root certs to the same bundle and configure that in the client SSL profile.

If that doesn't work, you could potentially select the client SSL profile based on the requested URI. You'd need to use SSL::renegotiate after parsing the URI to determine which client SSL profile to select. You could then call SSL::profile to select that profile. Here are the related wiki pages for this:

http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__renegotiate

http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__profile

Here is a rough, untested idea of what the SSL renegotiation might look like: 


when HTTP_REQUEST {

    Check the requested path
   switch -glob [HTTP::path] {
      "/profile1_uri/*" {
         HTTP::collect
         SSL::session invalidate
         SSL::authenticate always
         SSL::authenticate depth 9
         SSL::cert mode require
         SSL::renegotiate
         SSL::profile profile1_clientssl
      }
      "/profile2_uri/*" {
         HTTP::collect
         SSL::session invalidate
         SSL::authenticate always
         SSL::authenticate depth 9
         SSL::cert mode require
         SSL::renegotiate
         SSL::profile profile2_clientssl
      }
   }
}

If you try this, add some debug logging, test with a client cert from each CA and reply back with details of any issues you encounter.

Aaron