Client Authentication - Trusted Certificate Authority

my first instinct here would be to use and irule and the virtual command. These kinds of change in behavior mid flow on a single virtual has caused problems for me in the past.

Basically - SubVirtual1 would be set up with no Auth - SubVirtual2 would be set up with only Auth.

The make VIP using the address in DNS for www.mysiteABC.com would have an irule that would look something like this

when HTTP_Request {
    if { [string toupper [HTTP::url]] starts_with "DEFG") {
        virtual SubVirtual1
    } else {
        virtual SubVirtual2
    }
}

I maybe wrong, but I am not sure if this is possible without a redirect and a connection closure.

Any iRule you do with the HTTP_REQUEST means that a valid TCP+SSL connection was already established potentially without a client side certificate. You cannot serve that HTTP request unless you force a SSL renegotiation and this time force a client certificate to be presented.

I think it may be possible because this is in the client authentication description on F5.com.

The Request setting is often used in conjunction with iRules to provide selective access depending on the certificate presented. For example, this option would be useful if you would like to allow clients who present a certificate from the configured trusted CA to gain access to the application, while clients who do not provide the required certificate are redirected to a page that details the access requirements.

I would like the access requirements page to be the user name and password logon authentication page.

Ok you can definitely do what you are describing now. Setup your clientssl profile to "Request" instead of "Require" a client certificate.

This way the SSL handshake is successful for both end users which presented a certificate and those who did not.

In the CLIENTSSL_HANDSHAKE event, check if a certificate was presented and it matched any of your policies. Based on those checks setup a flag.

Now you can use the flag in the HTTP_REQUEST event to either provide access or redirect to an info page which tells users what they need.

Best.

Give this a try:

when HTTP_REQUEST {
    if { [string toupper [HTTP::uri]] starts_with "/DEFG" }{
        SSL::cert mode require
    }
    else {
        SSL::cert mode request
    }
}

I don't have a good place to test this but, this make me think it could work.

"the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event."

Give this a try:

when HTTP_REQUEST {
    if { [string toupper [HTTP::uri]] starts_with "/DEFG" }{
        SSL::cert mode require
    }
    else {
        SSL::cert mode request
    }
}

I don't have a good place to test this but, this make me think it could work.

"the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event."