Forum Discussion
hooleylist
Aug 14, 2009Cirrostratus
The clientssl profile you add to the virtual server should have client cert set to ignore and then the iRule dynamically requests (or requires) a client cert for specific URIs using the SSL:: commands.
If you set the cert mode to require, a client who doesn't send a cert when it's prompted will receive a TCP reset. If you want to handle this more gracefully, you could set the profile to request and then have the app send a response if no cert is present.
You'll probably want to insert the client cert in the session table and include some details about the cert in the HTTP headers in requests to the pool. This way the pool member can validate the cert before allowing the request. This could also be done in the iRule using the clientssl profile's Trusted CA cert field and the SSL::verify command.
Aaron