SSL::renegotiate fails

Question

Howdy all,&nbsp;
&nbsp;I'm trying to selectively enable PKI on one of our websites, and am using the example listed in the iRule wiki, but rather than seeing the web browser request that the user provide a client certificate, the request ends up timing out.  &nbsp;
&nbsp;Have any of you seen this before?  Do I need to set any specific configuration options on the clientssl profile in order to use the SSL::renegotiate command?&nbsp;
&nbsp;For reference, here is the rule I'm trying to use:&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__renegotiate.html&nbsp;
&nbsp;Regards,
&nbsp;Brian

dimka___104021 · Answer

hi,&nbsp;
&nbsp;I've tried to use SSL::renegotiate, but it didn't work like it should.
&nbsp;If you want to store some client cert data into session table - forget it.
&nbsp;Session lookup doesn't work with SSL::renegotiate. Even support said "This really falls outside the realm of technical support".

brian_ledbetter · Answer

I ended up forwarding the request from the non-PKI server to a virtualhost that has PKI configured, and used another iRule to set an authenticated cookie.  Not quite as clean of a solution, but it seems to be good enough for now.

Forum Discussion

SSL::renegotiate fails

Recent Discussions

ASM Export JSON - size Limit ?

Can i apply ddos profile on virtual server using port range

I used the wrong email account when take Application Delivery Exam (101)

F5 iControl REST API - viewBy Parameter Issue in Analytics Report

'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

Related Content

SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark

SSL Profiles Part 6: SSL Renegotiation

Re: SSL Renegotiation DOS attack – an iRule Countermeasure

SSL renegotiation DOS mitigation

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS