Forum Discussion
2 Replies
Sort By
Hi Tamer,
You may take a look to the links below. The links are showing you the needed syntax to overwrite the configured SSL-Profile settings to require Auth/Client-Certs on a request basis, and to re-negotiates the SSL connection on the fly...
https://devcentral.f5.com/articles/selective-client-cert-authentication
https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx
A sample iRule would look like that...
when CLIENTSSL_HANDSHAKE { if { [SSL::cert count] == 0 } { log -noname local0.debug "Client cert is not OK; rejecting TCP connection." reject } else { log -noname local0.debug "Client cert is OK; releasing HTTP request." HTTP::release } } when HTTP_REQUEST { if { [string tolower [[HTTP::uri]] starts_with "/admin" } then { log -noname local0.debug "Certificate required for: [HTTP::uri]" if { [SSL::cert count] == 0} { log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } }
Note: Once the functionality is verified, you may remove/comment the
commands.[log]
Cheers, Kai
- Tamer_Ezzat_235Nimbostratus
Thanks Kai,
I will use this and will update you.
Regards,