SSLRequire

You should check the SSL capabilities: Click here and Click here

 

 

For each command you can see some examples about how it works

I would appreciate it if someone could give some examples. Unfortunently I'm not able to figure this one out my own.

It looks like you're trying to validate that the client's cert was generated from a specific server cert/key. Here is a previous user's post on how he validated the client cert and handled requests without a cert (Click here).

 

 

You could add a check of the issuer using X509::issuer (Click here).

 

 

Aaron

SSLRequire %{SSL_CLIENT_I_DN_O} eq "test"

 

 

means that only the cert with SSL_CLIENT_I_DN_O eq "test" is displayed in the cert list, when client certificate is asked. So you wont have to scroll the window and search the cert from a long list.

Sorry, I guess I misinterpreted the SSLRequire definition. If the option changes which certs are displayed, I'm guessing this is something that would need to be configured in the client SSL profile on the VIP. I think you can add a import a CA certificate and configure that on the client SSL profile as the trusted clients CA (Click here). You could also try configuring this cert as the advertised cert authority (Click here).

 

 

I haven't tested these options much. If they don't work, you could try opening a case with support or replying here.

 

 

Aaron

Hi, so how could i open a support case

Hi there,

 

 

You can contact F5 Support via the following phone numbers (Click here), email (emailclerk@f5.com) or via the https://websupport.f5.com page. If/when you do find a solution, could you post back here for everyone's benefit?

 

 

Thanks,

 

Aaron

I can turn on "Advertised Certificate Authorities" from the client ssl profile but can I do this in an Irule? The support couldnt answer that. I also cant change the ssl profile from "when HTTP_REQUEST", and i don't know the URI in "when CLIENT_ACCEPTED"

 

 

So how to turn on Advertised Certificate Authorities option here

 

 

if { $uri starts_with "/idauth" } {

 

HTTP::collect

 

SSL::authenticate always

 

SSL::authenticate depth 3

 

SSL::cert mode require

 

SSL::renegotiate

 

}

Since i didn't find a way to turn on the Advertised Certificate Authorities option from a irule, then one of the solutions seems to be to make a clientssl profile as follows (you can't enable 'client cert ca "id_ee.crt"' from the GUI, but what you can do is to edit the bigip.conf with a text editor and then "b load"):

 

 

profile clientssl idauth_optional {

 

defaults from clientssl

 

key "web.key"

 

cert "web.crt"

 

ca file "id_ee.crt"

 

client cert ca "id_ee.crt"

 

peer cert mode ignore

 

}

 

If you edit the config to add this option it will potentially get overwritten if another change is made to the client SSL profile via the GUI.

 

 

Does anyone else have ideas on how to configure this option via the GUI or in an iRule? If not, I'd suggest going back to F5 Support and ask them for a supported method for configuring this.

 

 

Aaron