Forum Discussion
NimbostratusSSL Hook command
Hello,
Is it possible to invalide a TLS browsing session? i.e. with client using chrome browser and a VIP configured on F5 with client certificate requirement will not ask for client certificate second time if request is sent in same session (hitting F5 button on keyboard). Is there a command in F5 which can force chrome browser to ask for client certificate in every request?
Thank you.
3 Replies
- Kevin_Stewart
Employee
You can definitely invalidate an SSL session with the SSL::session invalidate command:
https://devcentral.f5.com/wiki/iRules.SSL__session.ashx
But getting the browser to actually prompt more than once is generally not something that can be controlled. Most browsers will remember the last selection and reselect the same certificate if the server requests it repeatedly.
Hi, have you tried the "frequency" option in the client auth section of the Client SSL profile?
Once: Specifies that the system authenticates the client once for an SSL session. Always: Specifies that the system authenticates the client once for an SSL session and also upon reuse of that session.- Kevin_Stewart
The frequency setting will determine how often the client certificate is requested, based on the establishment of a resumable SSL session ID. But none of the client SSL profile settings will control if and when the browser will actually prompt the user with a new cert selection. The client cert request in the SSL renegotiations may be happening frequently, but the browser will usually continue to select the original client cert.
