Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Pass Client Cert to a Specific URI

Ian_38374
Nimbostratus
Nimbostratus

‎05-Sep-2012 08:58

I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI?

 

/mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore

 

I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile.

 

Thanks

 

 

Labels:
0 Kudos
2 REPLIES 2

Kevin_Stewart
F5 Employee
F5 Employee

‎06-Sep-2012 09:44

When you say that the URL requires a client cert, is it requiring it in the SSL stream, or can it receive the value by some other means (ie. HTTP header)?

 

 

You can't pass the client certificate in the SSL stream unless you do something like ProxySSL, which wouldn't work "mid-session".
0 Kudos

Justin1
Nimbostratus
Nimbostratus

‎24-Aug-2023 18:33

I have been trying to do the same recently. I managed to create a VIP for the appstore port and havent had an issue. As this is a message from some time ago it is unlikely you are still looking to solve this.

I do however have an issue getting the 443 port to allow enrolments and also client auth to work. Client cert auth works for existing devices but I can't enrol a new device. I tried setting the client auth to ignore to allow enrolment but then breaks as the plicy can't download as it seems it then needs client cert auth.

I tried an irule to do ssl::renegotiate but that seems to go through the iRule and then back to CLIENT_CLIENTCERT and then stops so I can't then re-process my rule to do logging and other URI blocking to the public.

Want to do this without APM if possible but it looks to not be possible.

Note: Also seems ssl::renegotiate isn't compatible with TLSv1.3 either

If anyone has an iRule that works I would be very interested

0 Kudos
Copyright © 2023 Khoros, LLC