Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Pass Client Cert to a Specific URI


I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI?




I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile.






F5 Employee
F5 Employee
When you say that the URL requires a client cert, is it requiring it in the SSL stream, or can it receive the value by some other means (ie. HTTP header)?



You can't pass the client certificate in the SSL stream unless you do something like ProxySSL, which wouldn't work "mid-session".


I have been trying to do the same recently. I managed to create a VIP for the appstore port and havent had an issue. As this is a message from some time ago it is unlikely you are still looking to solve this.

I do however have an issue getting the 443 port to allow enrolments and also client auth to work. Client cert auth works for existing devices but I can't enrol a new device. I tried setting the client auth to ignore to allow enrolment but then breaks as the plicy can't download as it seems it then needs client cert auth.

I tried an irule to do ssl::renegotiate but that seems to go through the iRule and then back to CLIENT_CLIENTCERT and then stops so I can't then re-process my rule to do logging and other URI blocking to the public.

Want to do this without APM if possible but it looks to not be possible.

Note: Also seems ssl::renegotiate isn't compatible with TLSv1.3 either

If anyone has an iRule that works I would be very interested