Client ssl

Question

I want use a clientssl profile for some IP address and another clientssl profile for another range of IP adress.
&nbsp;Try to make a iRule and dont run.
&nbsp;Any ideas?
&nbsp;Thanks

nicolas_menant · Answer

Hi,&nbsp;
&nbsp;Could you show use your iRule and any logging you did ?  &nbsp;
&nbsp;Thanks&nbsp;&nbsp;

salvador_del_re · Answer

profile clientssl uno_prof {
&nbsp;   defaults from clientssl
&nbsp;   key "uno.key"
&nbsp;   cert "uno.crt"
&nbsp;}&nbsp;
&nbsp;profile clientssl dos_prof {
&nbsp;   defaults from clientssl
&nbsp;   key "dos.key"
&nbsp;   cert "dos.crt"
&nbsp;}&nbsp;
&nbsp;virtual vs_https {
&nbsp;   snat automap
&nbsp;   pool http_pool
&nbsp;   destination 172.16.6.102:https
&nbsp;   ip protocol tcp
&nbsp;   rules certificado
&nbsp;   profiles
&nbsp;      tcp
&nbsp;      test-cert
&nbsp;}
&nbsp; when CLIENT_ACCEPTED {
&nbsp;set certuno uno_prof
&nbsp;set certdos dos_prof
&nbsp;log "certificado uno $certuno certif2 $certdos"
&nbsp;PROFILE::clientssl [$certuno]
&nbsp;}&nbsp;&nbsp;&nbsp;
&nbsp;Error&nbsp;
&nbsp;Feb 27 13:47:55 tmm tmm[1675]: 01220002:6: Rule certificado : certificado uno uno_prof certif2 dos_prof
&nbsp;Feb 27 13:47:55 tmm tmm[1675]: 01220001:3: TCL error: certificado  - invalid command name "uno_prof"     while executing "$certuno"&nbsp;&nbsp;

nicolas_menant · Answer

Remove your [] around [$certuno] ^^&nbsp;
&nbsp;Moreover i don't think that will do what you want. &nbsp;
&nbsp;If you check the wikis it is used to retrieve value and not set new one:&nbsp;
&nbsp;example: when HTTP_REQUEST {
&nbsp;set resultat [PROFILE::clientssl key]
&nbsp;log local0. "res: $resultat"
&nbsp;}&nbsp;
&nbsp;it will return the key used for the ssl transaction&nbsp;
&nbsp;You need to use the command SSL::profile name_of_your_profile&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__profile.html&nbsp;
&nbsp;HTH&nbsp;&nbsp;

salvador_del_re · Answer

Finally make the next iRule and my problem it´s resolved.&nbsp;
&nbsp;Thanks a lot&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;if { [matchclass [IP::client_addr] equals $::Direcciones_internas]
&nbsp;}
&nbsp;{
&nbsp;SSL::profile uno_prof
&nbsp;}
&nbsp;else
&nbsp;{
&nbsp;SSL::profile dos_prof
&nbsp;}
&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;virtual vs_https {
&nbsp;   snat automap
&nbsp;   pool http_pool
&nbsp;   destination 172.16.6.102:https
&nbsp;   ip protocol tcp
&nbsp;   rules certificado
&nbsp;   profiles
&nbsp;      clientssl
&nbsp;      tcp
&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;profile clientssl uno_prof {
&nbsp;   defaults from clientssl
&nbsp;   key "uno.key"
&nbsp;   cert "uno.crt"
&nbsp;}&nbsp;&nbsp;
&nbsp;}
&nbsp;profile clientssl dos_prof {
&nbsp;   defaults from clientssl
&nbsp;   key "dos.key"
&nbsp;   cert "dos.crt"
&nbsp;}&nbsp;
&nbsp;}
&nbsp;class Direcciones_internas {
&nbsp;   network 172.16.0.0/16
&nbsp;   networks 10.10.6.0/24
&nbsp;   networks 192.168.6.0/24
&nbsp;}&nbsp;&nbsp;&nbsp;

Forum Discussion

Client ssl

4 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

SSL Profiles Part 8: Client Authentication

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support

SSL Profiles

TLS Fingerprinting to profile SSL/TLS clients without decryption