http redirect when there is no client cert

Question

Is there a way to HTTP redirect, when there is no client certificate, in the request received at the F5? I see we can't use HTTP::redirect within CLIENTSSL_CLIENTCERT method.

hooleylist · Answer

If you want to send an HTTP response when no client cert is provided, you would need to set the client cert mode to request on the client SSL profile.  You could then use an iRule like this: &nbsp;
&nbsp; when HTTP_REQUEST {

Check if there is more than one client cert
if {[SSL::cert count] &gt; 0}{

Check if there was no error in validating the client cert against LTM's server cert
if { [SSL::verify_result] == 0 }{

Exit this event in this iRule
return
} else {
 Use the SSL status code in the HTTP response (defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS)
set error_string [X509::verify_cert_error_string [SSL::verify_result]]
}
} else {
set error_string "No client certificate provided"
}
 If we are still executing this iRule, the client did not present a cert or did not present a valid cert
HTTP::respond 403 content "Invalid client certificate: $error_string"
}
 &nbsp;
&nbsp; Aaron

Forum Discussion

http redirect when there is no client cert

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Anchor Link Redirect

iRule based RADIUS Client Stack

Redirect TLS 1.1/1.2 clients & Append the incoming URL to the redirect target

iRule redirection

Upgrade APM edge client