Hi WagnerFS,
you may try the code below as a starting point...
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] > 0 } {
log -noname local0.debug "Client cert is OK; releasing HTTP request."
HTTP::release
}
}
when HTTP_REQUEST {
if { [string tolower [[HTTP::uri]] starts_with "/context" } then {
log -noname local0.debug "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] == 0} {
log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..."
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
Note: Tweak your Client SSL Profile so that it trust and avertises just the desired CA chain.
Cheers, Kai