[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

F5 BIG-IP SSL and non-SSL



We are looking to implement a solution whereby users must use SSL to access a particular web app if they have the correct client cert. For users who don't have the cert yet we want the solution to automatically revert to use HTTP for this app and continue. We want it to be seamless to the user.

We plan on using the BIG-IP for the SSL termination at the perimeter.

Can the big-ip detect that the users machine doesn't have the cert and redirect to http? Or am I way off course here? Are there other ways to do this?
0
58872
Asked:
58872
1 Solution
 
Dave BaldwinFixer of ProblemsCommented:
You'll probably have to ask BIG-IP.  The general problem you are facing is that when you request an SSL connection, it gets negotiated First before anything else.  If it fails, you don't get anything but an error.  That would be normal.  Maybe BIG-IP can do something else.
0
 
SteveJCommented:
Yes, you can redirect based on an SSL negotiation error. The problem is that will defeat the purpose of requiring a specific client cert unless you also filter on the source IP address. That is, 'sneaky pete' wants access to your app but doesnt have the appropriate cert. You end up effectively giving it to him.

What am I missing?

Steve
0
 
58872Author Commented:
Thanks
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now