"SSL::cert mode require" does not work
I'm trying to use an iRule to perform client certificate authentication on certain parts of my website and not others. I found this article to use a starting point: https://devcentral.f5.com/articles/selective-client-cert-authentication
Everything seems to work except for the "SSL::cert mode require" line. The browser (and a packet capture confirms it) never receives a request from the F5 for its client certificate. The ltm log shows the following after a failure:
May 11 14:13:06 4000s-1 info tmm[15688]: Rule /Common/test-by-uri-cert-auth : Protected URI requested: /protected/index.htm May 11 14:13:06 4000s-1 info tmm[15688]: Rule /Common/test-by-uri-cert-auth : No Certificate Provided
The iRule is:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/protected/" } { log local0. "Protected URI requested: [HTTP::uri]" if { [SSL::cert count] <=0 } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } }
when CLIENTSSL_CLIENTCERT { HTTP::release
if { [SSL::cert count] < 1 } { log local0. "No Certificate Provided" reject } }