Forum Discussion

Cirrus

Oct 18, 2022

Client Authentication with certificate on one URI only

Hello, I need your help figuring out how to troubleshoot a new implementation. We have a VIP exhibiting our service. The VIP has its own SSL client profile. Behind this VIP is an IIS which has 5 we...

application delivery

Kevin_Stewart
Oct 27, 2022
Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.

If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).

tub91

Cirrus

Hi mihaic

Thank you for your answer. However, we would like to avoid using SSL Renegotiation.

Is there any way to do this through the APM?

Kevin_Stewart

Employee

Oct 27, 2022

Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.

If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Client Authentication with certificate on one URI only

Recent Discussions

Gy the ft hi go to ki CE ki CE ki hi if co ltd Tel no hi hi co

SF GS see the attached document for your email and

De do please let me know when the ft ye so I

Spiritual Salt Review - Does it Work or a Scam?

Tupi Tea Reviews 2024: Real or Scam? Must Read

Related Content

BIG-IQ Client Certificate (PKI) Authentication

Configuring APM Client Side NTLM Authentication

Distributed caching of authentication requests with NGINX Ingress Controller

My Security+ Certification Journey

C3D forged certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS