SSL renegotiate with require client certificate upon server demand

We have the following scenario:

 

BigIp server is terminating SSL and sending the requests to a web server behind it and sending the client certificate as http header if such is provided.

 

There is an application running on the webserver which may decide whenever it demands client certificate - upon such an event it returns to the BigIp a special HTTP header, which is parsed by an iRule and SSL renegotiation is triggered after SSL clientside settings are changed.

 

I saw that there is example for SSL renegotiation upon some rule, but in the example this is decided in HTTP_REQUEST event, while I think for this scenario HTTP_RESPONSE event is more appropriate.

 

 

The problem is that I was not able to use HTTP::collect and release in HTTP_RESPONSE and the SSL client receives nothing after renegotiation ( if tests are done with IE 10 error "The following fatal alert was generated: 20. The internal error state is 960." is triggered in the SCHANNEL log).

 

Here is the current version of the rule:

 

 

when HTTP_RESPONSE {

 

if { [HTTP::header "require_cert"] equals "require"} {

 

clientside {

 

if {[SSL::cert count] == 0}{

 

log local0. "renegotiating"

 

SSL::cert mode require

 

SSL::renegotiate

 

} else {

 

log local0. "Found client cert:[X509::subject [SSL::cert 0]]"

 

}

 

}

 

}

 

}

 

 

Can anyone provide a little help if this is possible?

 

 

Best Regards,

 

Aleksandar