Forum Discussion
hooleylist
Oct 15, 2009Cirrostratus
That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.
This codeshare example shows how to validate the client cert and store valid cert details in the session table:
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate:
Force renegotiation of the SSL connection with a cert requested
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.
Aaron