Forum Discussion

WagnerFS_250521's avatar
WagnerFS_250521
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

SSL Profile for URI

Hi all,

 

My case

 

1- We have a virtual server that meets SSL requests (443) without requirir client certificate for connection; 2- Now we need to set up this Virtual Server uri one that starts with "/context" in which the certificate is requirido; 3- This uri requires the profile SSL use the "Trusted Certificate Authorities" from the "Client Authentication";

 

Does anyone have an idea of how to implement

 

Thank you

 

application delivery
iRules
LTM
ssl profile

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 24, 2016

    Hi WagnerFS,

     

    you may try the code below as a starting point...

     

    when CLIENTSSL_CLIENTCERT { 
    if { [SSL::cert count] > 0 } { 
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/context" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

    Note: Tweak your Client SSL Profile so that it trust and avertises just the desired CA chain.

     

    Cheers, Kai