SSL renegotiation in version 9.2.3

I've certainly heard of people succesfully using SSL::renegotiate.

 

 

Perhaps you could post your rule so we could take a look at how it's being used?

 

 

Colin

Alright, it is documented here:

 

http://devcentral.f5.com/Default.aspx?tabid=29&ArticleType=ArticleView&ArticleID=39&PageID=46

 

It's the "needcert"/"gotcert" approach, but by ,modifying it i have reduced it to a specific problem with the renegotiation part.

 

 

Even with this iRule, browsing fails

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] starts_with "/needcert" } {

 

log LOCAL0. "Requiring certificate..."

 

SSL::cert mode request

 

SSL::renegotiate

 

}

 

}

 

 

It seems that when renegotiating, it is unable to instruct the browsar to send a certificate.

 

 

We're planning to redirect to a second virtual server with another SSL profile as a workaround, but is unelegant, i guess.

 

 

Thanks for your help.

We've just found that this is a bug in version 9.2.3, currently on hotfix progress, concerning the "SSL::cert mode" part. It doesn't change the operation mode, so the iRule doesn't work.

 

 

It is working fine on 9.1.2, though.

does the "SSL::cert mode" bug will fixed in 9.4.0 too? I found it's not work in 9.4.0 beta now.