switch client ssl profiles
1 TopicTurn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service. register: https://5.5.5.5:5443/register (1-way ssl) (get the cert) service: https://5.5.5.5/service (2-way ssl) (use the cert) We have a registration VS and a service VS. Both VS's have their own client ssl profile (no server profile). Below are the differences in the ssl profiles: I am tasked with getting rid of port 5443 and making it so that customers can both register and hit the service on port 443/https. The majority of the traffic comes in on 443 with the occasional new customer registering first on 5443. The VS's point to different pools. We are running BIG-IP 11.3.0 Build 2806.0 Final. With that being said, I'd like to make the 2-way ssl profile the default and turn off client auth if uri equals "/register". Here is what I have so far... when HTTP_REQUEST { Turn off client auth for registration requests if { [HTTP::uri] contains "/register" } { SSL::cert mode ignore SSL::renegotiate enable SSL::renegotiate pool registration-pool return } elseif { ([SSL::cert count] > 0) && ([HTTP::uri] contains "/service") } { scrub header HTTP::header remove chain HTTP::header remove client HTTP::header remove testCert HTTP::header remove ClientCert-Subject HTTP::header remove SSLClientCertSubject HTTP::header remove SSLClientCertThumbprint insert cert subject HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]] } else { drop } } Concerns: When to use "return" and "SSL::renegotiate" Security (ssl renegotiate vulnerabilities) Do I need to set variables? Very grateful for any help on this. Thanks.1.1KViews0likes19Comments