SSL::authenticate

Description¶

Overrides the current setting for authentication frequency or for the maximum depth of certificate chain traversal.

Syntax¶

SSL::authenticate <"once" | "always">
SSL::authenticate depth <number>

SSL::authenticate <”once” | “always”>¶

Valid in a client-side context only, this command overrides the client-side SSL connection’s current setting regarding authentication frequency.

SSL::authenticate depth <number>¶

When the system evaluates the command in a client-side context, the command overrides the client-side SSL connection’s current setting regarding maximum certificate chain traversal depth.
When the system evaluates the command in a server-side context, the command overrides the server-side SSL connection’s current setting regarding maximum certificate chain traversal depth.

Examples¶

when CLIENT_ACCEPTED {
  set session_flag 0
}
when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] != 0 } {
    log "Client cert is OK; releasing HTTP request."
    HTTP::release
  }
}
when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/secure/" } {
    log "Certificate required for: [HTTP::uri]"
    if { [SSL::cert count] == 0} {
        log "No cert found. Holding HTTP request until a client cert is presented..."
    HTTP::collect
        set session_flag 1
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode require
        SSL::renegotiate
    }
  }
  else {
    log "No certificate needed for: [HTTP::uri]"
  }
}

Related Information¶

Valid Events:

ANY

Introduced: BIGIP-9.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.