Forum Discussion

fraguet_53463's avatar
fraguet_53463
Icon for Nimbostratus rankNimbostratus
Feb 22, 2018

Modify SSL Sign Hash in SSL client profile or change SSL client profile before renegociate.

Hi

 

I have a VS with a SSL Client Profile. This SSL client profile is configured with a SSL Sign Hash value at "SHA1" and client authentication.

 

If the SSL negotiation results in no certificate being sent from the client, I want to renegotiate with the SSL Sign Hash value at SHA256 (only SHA256 and SHA1 can be used that's why I don't use the value ANY).

 

I see 2 different solutions :

 

1) Modify the SSL Sign Hash value in the SSL client profile and use the renegociate command (SSL::renegociate).

 

2) Change the SSL client profile (SSL::profile) and renegociate (SS::renegociate)

 

My problems are for each solution:

 

1)I didn't found the Irule command to modify the SSL SignHash in a SSL client profile

 

2)The only event where I can use the SSL::profile command is CLIENT_ACCEPTED which is not triggered after the SSL::renegociate command.

 

If anyone have a solution...

 

Thank you.

 

Fred

 

application delivery
iRules
LTM

1 Reply

Sort By
  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Feb 23, 2018

    I think you should be able to use SSL::profile out of the client_accepted event. I assume you check for the certificate in clientssl_clientcert, if there is no client cert then change the SSL::profile there, flags it with a variable and on the HTTP_REQUEST event use the SSL::renegotiate. That should force the renegotiation using the second SSL profile.