Michael_57131
Apr 14, 2017Nimbostratus
Clear SSL state
Is there an iRule option to clear the SSL state, like what can be done in IE in the internet options with the Clear SSL state in content settings?
Certificate verification by the SSL Server has a simple iRule command like SSL::cert mode request and then SSL::renegotiate. As long as the client has a certificate this works great.
But if the client doesn't have any certificates, like they haven't inserted the Smart Card, SSL never succeeds and the client can't finish the SSL negotiation.
I'm trying to figure out if there's an iRule command i can use in an Event that allows me to reset the state of the connection until the client has a valid certificate.
The desired scenario is There are no certificates available to the browser session initially, The users requests a web site that requires SSL client authentication The user has no certificates and sees an error page to insert his smart card with a meta refresh tag in the html. User inserts his smart card Repeat meta refresh tag until certificates are available in the browser. When certificates are available, the user is prompted for his smart card PIN.
Sacrificing brevity. I've tried to loop through the events with a counter at the top. If the Client doesn't have the cert, I can get the meta-refresh working with the HTTP::response 200 content, but the browser never tries to renegotiate with the newly available certificates. In between the loops the iRule does another SSL::cert request SSL::reneogitiate. Wireshark shows new TCP session, new ephemeral ports on the clients, I see the TLS hello handshake. But it doesn't work.
Only if I use the IE button to "Clear SSL State" then wait for the next meta-refresh to finish, it works as expected.