Forum Discussion
2 Replies
Sort By
- What_Lies_Bene1Cirrostratus
This is a common question. As SSL/TLS operations occur before any HTTP is passed this is not possible.
- Kevin_StewartEmployee
Ultimately you'd want to switch the client SSL profile, or make a setting change based on the URI evaluation, but as Steve states, SSL negotiation happens before HTTP, so it's not really possible. There are alternatives though.
- You can use SSL:: commands in an iRule to trigger a renegotiation and cert request based on request criteria. There's no way to alter the original SSL handshake, but you can cause a renegotiation and change the authentication settings there. The wiki page for SSL::authenticate actually has a good example:
https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx
- The Access Policy Manager (APM) module can perform this SSL renegotiation and client certificate request very easily without iRules. APM evaluates authentication at the beginning of the session, so in your case, because you might have users pass from a non-authenticated to an authenticated URI during the session, you'd still need an iRule to trigger access policy renegotiation.