Forum Discussion

Eric_Van's avatar
Eric_Van
Icon for Nimbostratus rankNimbostratus
Jan 07, 2015

Change Client SSL Profile Based On Browser

We have a virtual server that uses a Client SSL profile which has a wildcard certificate. We recently had the certificate re-issued, moving from SHA-1 to SHA-2. This works fine for most of our users, however we have a large user population that still uses WinXP SP2 / IE 6, which is not able to use the SHA-2 certificate. So, we had to roll back to the SHA-1 certificate. Is there some way, through an iRule or some other method, to have multiple client SSL profiles assigned to the same virtual server, and have it specify that any user running IE 6 uses the SSL profile with the SHA-1 certificate, and everybody else uses the SSL profile with SHA-2?

 

1 Reply

  • I don't think you can do that. The browser determination would be based on the User-Agent header that comes with the HTTP request, and that wouldn't be accessible before the SSL handshaking.

     

    This link describes the handshake process for SSL/TLS.