ltm rule command SSL authenticate
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::authenticate
Overrides the current setting for authentication frequency or for the
maximum depth of certificate chain traversal.
SYNOPSIS
SSL::authenticate (once | always | (depth DEPTH))
DESCRIPTION
Overrides the current setting for authentication frequency or for the
maximum depth of certificate chain traversal.
SSL::authenticate <"once" | "always">
Valid in a client-side context only, this command overrides the
client-side SSL connectionaXXs current setting regarding authentication
frequency.
SSL::authenticate depth
When the system evaluates the command in a client-side context, the
command overrides the client-side SSL connectionaXXs current setting
regarding maximum certificate chain traversal depth.
When the system evaluates the command in a server-side context, the
command overrides the server-side SSL connectionaXXs current setting
regarding maximum certificate chain traversal depth.
RETURN VALUE
VALID DURING
ANY_EVENT
EXAMPLES
when CLIENT_ACCEPTED {
set session_flag 0
}
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] != 0 } {
log "Client cert is OK; releasing HTTP request."
HTTP::release
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/secure/" } {
log "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] == 0} {
log "No cert found. Holding HTTP request until a client cert is presented..."
HTTP::collect
set session_flag 1
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
else {
log "No certificate needed for: [HTTP::uri]"
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)