Forum Discussion
Kai_Wilke
Jan 25, 2016MVP
Hi Tamer,
You may take a look to the links below. The links are showing you the needed syntax to overwrite the configured SSL-Profile settings to require Auth/Client-Certs on a request basis, and to re-negotiates the SSL connection on the fly...
https://devcentral.f5.com/articles/selective-client-cert-authentication
https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx
A sample iRule would look like that...
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] == 0 } {
log -noname local0.debug "Client cert is not OK; rejecting TCP connection."
reject
} else {
log -noname local0.debug "Client cert is OK; releasing HTTP request."
HTTP::release
}
}
when HTTP_REQUEST {
if { [string tolower [[HTTP::uri]] starts_with "/admin" } then {
log -noname local0.debug "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] == 0} {
log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..."
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
Note: Once the functionality is verified, you may remove/comment the
commands.[log]
Cheers, Kai