Forum Discussion
RiverFish
Altostratus
AltostratusTurn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.
register: https:/...
Kevin_Davies_40
Nacreous
NacreousJust brainstorming here.... you will have to use a less secure profile until they come in then change the profile and force a SSL::renegotiate if they are not using /register. Something like...
when HTTP_REQUEST {
if {!([HTTP::uri] eq "/register")} {
SSL::profile ssl_2way
SSL::renegotiate
}
}
But this will make normal connections take longer to establish as a result because its a two step process for them instead of one.
RiverFishAltostratus
AltostratusThanks for your response, Kevin. I believe the "SSL::profile" command cannot be used in the "when HTTP_REQUEST" event, so I have shifted focus to the "SSL::mode ignore" command. We tested my iRule above and the ignore command is not working as hoped. The 2-way ssl profile that is assigned to the Virtual Server is requesting a cert from the client. Followed by a "Warning, No Certificate", then "Fatal, Handshake Failure".