bypassing client authentication

Hi Aaron

 

 

I've tested the iRule today and it seems to work great. Is there any way that I can log unsuccessful client authentication attempts?

 

 

Thanks

Hi Skuba,

 

 

You could add logic in CLIENTSSL_HANDSHAKE to check for clients making a request with no cert after the renegotiation. You could also validate the client cert against either the SSL cert in the client SSL profile or using a trusted CA cert. You can use the SSL::verify_result (Click here). You'd probably also want to check the AUTH::status value in AUTH_RESULT to see whether the OCSP validation was completed successfully.

 

 

Note there is an issue where you can't differentiate between no response and a revoked status from the OCSP responder using AUTH::status. F5 is tracking this in CR126501. A workaround is to create a pool containing the OCSP server IP address(es) and then use a monitor to check the status of the pool. You can then use [active_members $ocsp_pool] in your iRule to detect whether the OCSP servers are down.

 

 

Aaron

Hi Scuba,

 

I am having difficulties join LTM to domain for my vip. following LTM guild for kerberos and trying to join. getting this error everytime I tried:

 

 

Run msktutil $s = system("KRB5CCNAME=$cc msktutil $verboseflag --server $kdcname --computer-name $shortname --hostname $hostcmd --delegation -c --upn HOST/$hostcmd"); die "Couldn't join domain($s)." unless $s == 0; Add the HTTP service principal. $s = system("KRB5CCNAME=$cc msktutil $verboseflag --server $kdcname --computer-name $shortname --hostname $hostname --service HTTP"); unlink $cc;

 

 

I have created a new virtual servers, on vip, it shows dns name. I'm using following command from putty. [root@OA-PP-LB2:Standby] config domaintool --debug --join --admin_principal admin --host

 

 

DC can do forward and reverse lookup on DNS. Any assistance in this situation will be appreciated. What settings you have in your working v.ip.

 

thx.