IIS 7 - SSL Client certificate set to "Accept" seems to force F5 SSL TCP RST.
Hi all,
I've just upgraded an 11.3.0 HF5 to 11.6.0 HF4 BIG-IP.
We've got a couple of IIS7 servers behind, which (for no apparent reason) the server admins configured the SSL Settings to "Accept" on the client certification authentication.
Now, I understand the following to be true (similar to 'request' in Apache): "Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one."
However, since the upgrade, the IIS7 servers are unhappy with the BIG-IP handshake and I'm seeing TCP RST in the ssldump from the IIS7 servers.
I'm intrigued what has changed between the two versions to suddenly cause this behavior.
Is there a serverssl profile setting which would allow this to continue happily?
I appreciate that if a backend server (whatever the HTTP daemon/server is) would need SSL Proxying if ever direct client-server authentication was required, but I'm pretty sure that the communication in this case should've continued normally being the SSL Client Cert from IIS7 wasn't set to Require.
Appreciate any and all input on this.
Regards,
J.D.