Forum Discussion
1 Reply
Sort By
Hi e0013192,
you may take a look to the iRule below. It changes the SSL settings to require authentication if a specific URI was requested, and then simply pauses the ongoing HTTP request until a SSL re-negotiation has been successfully completed.
when CLIENT_ACCEPTED { set session_cert 0 } when CLIENTSSL_HANDSHAKE { if { $session_cert } then { if { [SSL::cert count] > 0 } then { log -noname local0.debug "Client cert is OK; releasing HTTP request." HTTP::release set session_cert 0 } else { log -noname local0.debug "Client cert is not OK; rejecting TCP connection." reject } } } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/soap" } then { log -noname local0.debug "Certificate required for: [HTTP::uri]" if { [SSL::cert count] == 0} { log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." set session_cert 1 HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } }
Note: You have to configure the "Trusted CA" and "Advertises CA" settings in your Client SSL Profile, but leave the "Client Certificate" setting to "Ignore". This will be controlled by this iRule.
Cheers, Kai