Forum Discussion
Manuel_Gabaldon
Nimbostratus
NimbostratusSSL renegotiation in version 9.2.3
I'm trying to implement an iRule that changes the SSL cert mode and then renegotiates, but SSL::renegotiate doesn´t seem to work.
When looking at httpwatch I get an INTERNET_SECURITY_CHANNEL_ERROR, even if i don't change the certificate mode.
Does anybody know if this command works for sure?
Thanks.
4 Replies
- I've certainly heard of people succesfully using SSL::renegotiate.
Perhaps you could post your rule so we could take a look at how it's being used?
Colin 
Manuel_GabaldonAlright, it is documented here:
http://devcentral.f5.com/Default.aspx?tabid=29&ArticleType=ArticleView&ArticleID=39&PageID=46
It's the "needcert"/"gotcert" approach, but by ,modifying it i have reduced it to a specific problem with the renegotiation part.
Even with this iRule, browsing fails
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/needcert" } {
log LOCAL0. "Requiring certificate..."
SSL::cert mode request
SSL::renegotiate
}
}
It seems that when renegotiating, it is unable to instruct the browsar to send a certificate.
We're planning to redirect to a second virtual server with another SSL profile as a workaround, but is unelegant, i guess.
Thanks for your help.- Manuel_GabaldonWe've just found that this is a bug in version 9.2.3, currently on hotfix progress, concerning the "SSL::cert mode" part. It doesn't change the operation mode, so the iRule doesn't work.
It is working fine on 9.1.2, though. 
James_Yang_9981Altostratus
does the "SSL::cert mode" bug will fixed in 9.4.0 too? I found it's not work in 9.4.0 beta now.
