Differentiate between client-initiated and server-initiated SSL renegotiations
Hi!
I'm trying to configure my F5 LTM 11.3 to be able to allow server-initiated SSL renegotiations but reject client-initiated SSL renegotiations. In the clientssl profile I've configured a renegotiation period of 600 seconds as I want to be able to renegotiate with the client, but only if I ask for it (Hello Request message sent from the F5 to the client) and after that I've unchecked the Renegotiate checkbox as I don't want to accept the client-initiated renegotiations.
The problem is that it seems that the SSL renegotiation options in the sslclient profile doesn't allow me to differentiate between client and server initiated renegotiations. If I uncheck the Renegotiation option then I can't renegotiate with the client when I ask for it because the Hello sent from the client in answer to my Hello Request message is rejected, and I'd like to be accepted as I've asked for it.
It'd be nice to have two options, client-initiated renegotiation and server-initiated renegotiation so I could check or uncheck the specific behaviour that I want to allow or reject.
Knowing of this limitation, I'm now exploring if I could solve it with an iRule, but I guess I can't as the CLIENTSSL_HANDSHAKE event is called when the handshake is finished and I'd need to be able to abort the handshake before it's made.
So... any way to detect the "Hello Request" message in my iRule to manage the CLIENTSSL_HANDSHAKE accordingly. Anyone has solved this problem of differentiate between client/server initiated renegotiations?
Thanks! Looking forward to hearing your thoughts!