SSL Client Profile based on the URL

Cirrostratus

Jan 24, 2011

Hi Miguel,

You might be able to just add both CA root certs to the same bundle and configure that in the client SSL profile.

If that doesn't work, you could potentially select the client SSL profile based on the requested URI. You'd need to use SSL::renegotiate after parsing the URI to determine which client SSL profile to select. You could then call SSL::profile to select that profile. Here are the related wiki pages for this:

http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__renegotiate

http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__profile

Here is a rough, untested idea of what the SSL renegotiation might look like:


when HTTP_REQUEST {

    Check the requested path
   switch -glob [HTTP::path] {
      "/profile1_uri/*" {
         HTTP::collect
         SSL::session invalidate
         SSL::authenticate always
         SSL::authenticate depth 9
         SSL::cert mode require
         SSL::renegotiate
         SSL::profile profile1_clientssl
      }
      "/profile2_uri/*" {
         HTTP::collect
         SSL::session invalidate
         SSL::authenticate always
         SSL::authenticate depth 9
         SSL::cert mode require
         SSL::renegotiate
         SSL::profile profile2_clientssl
      }
   }
}

If you try this, add some debug logging, test with a client cert from each CA and reply back with details of any issues you encounter.

Aaron

Forum Discussion

SSL Client Profile based on the URL

Recent Discussions

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

F5Access | MacOS Sonoma

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

About client profile (apm-forwarding-client-tcp)

Pass client cert based on POST data

WAF - URL advance option - header based content profiles

Client SSL profile based on uri

HTTPS communication and client and server ssl profile