SSL::renegotiate fails

Question

Howdy all,&nbsp;
&nbsp;I'm trying to selectively enable PKI on one of our websites, and am using the example listed in the iRule wiki, but rather than seeing the web browser request that the user provide a client certificate, the request ends up timing out.  &nbsp;
&nbsp;Have any of you seen this before?  Do I need to set any specific configuration options on the clientssl profile in order to use the SSL::renegotiate command?&nbsp;
&nbsp;For reference, here is the rule I'm trying to use:&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__renegotiate.html&nbsp;
&nbsp;Regards,
&nbsp;Brian

dimka___104021 · Answer

hi,&nbsp;
&nbsp;I've tried to use SSL::renegotiate, but it didn't work like it should.
&nbsp;If you want to store some client cert data into session table - forget it.
&nbsp;Session lookup doesn't work with SSL::renegotiate. Even support said "This really falls outside the realm of technical support".

brian_ledbetter · Answer

I ended up forwarding the request from the non-PKI server to a virtualhost that has PKI configured, and used another iRule to set an authenticated cookie.  Not quite as clean of a solution, but it seems to be good enough for now.

Forum Discussion

SSL::renegotiate fails

2 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark

SSL Profiles Part 6: SSL Renegotiation

SSL renegotiation DOS mitigation

Re: SSL Renegotiation DOS attack – an iRule Countermeasure

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS