Hi All, It's my first post here I have project where client connect to server through F5 F5 makes decryption, WAF and then re-encryption and send traffic to one of node Our requirement is that: When client connect to VIP first time application create normal SSL connection (establishment) but if the same client want to connect another time for example in a 10 minutes then in a 20 minutes client should resumption existing session We will pay for each byte so thats why I want use SSL persistent (with ssl resumption) I read that for traffic that is decrypt and re-encrypt only option is write iRule I have created something like this: https://devcentral.f5.com/tech-tips/articles/cert-information-in-your-http-headers.UTfd3Vd224o but without success What should I add ? version is BIG-IP 11.2.1 Build 807.0 Hotfix HF1 Thanks for any help Marcin

The problem with SSL persistence is that it will either time out or eventually get renegotiated by either the client or the server. Browser are especially prone to SSL renegotiation, so SSL persistence is generally not a good persistence mechanism for web traffic. If you need to keep persistence over some very long period of time, and this is all exclusively browser-based traffic, I'd highly recommend persistent HTTP cookies. Create a cookie persistence profile and modify the expiration values, then apply that persistence profile to the virtual server.

I should also mention that if the client keeps the same browser open over that 10-20 minute period, then you could probably get away with session-based (in-memory) cookies.

client is special device not web browser, cookies are not supported,

Well then the question becomes whether or not the client initiates SSL renegotiations. I've encountered a few client apps, like Citrix Receiver, that will maintain a long-running SSL session, so it's completely possible. If you enable SSL sessionid persistence at the virtual server you can monitor it with an iRule using the SSL::sessionid command.

Thanks, so as I understand iRule from mentioned example should fix this issue ? But its not :(

SSL persistent& resumption - why doesnt work

14 Replies

nitass
Employee
Mar 08, 2013
I think that server profile configuration is not important in this case. Correct ?
after researching again, yes i agree.

would it be possible to post your virtual server, ssl profile and irule configuration here?
garfield831_116
Nimbostratus
Mar 08, 2013
I changed some names and IPs to xxxx

ltm rule /Common/insert_ssl_session_id {

when CLIENTSSL_CLIENTCERT {

set cert [SSL::cert 0]

set sn [X509::serial_number $cert]

set subject [X509::subject $cert]

set issuer [X509::issuer $cert]

set version [X509::version $cert]

session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800

}

when HTTP_REQUEST {

if { [SSL::cert count] < 1 } {

SSL::authenticate once

SSL::authenticate depth 9

SSL::cert mode request

SSL::renegotiate

} else {

set values [session lookup uie [SSL::sessionid] ]

if { [lindex $values 0] != "" } {

HTTP::header insert XClientSSL_Serial [lindex $values 0]

log local0. "Inserting Serial [lindex $values 0]"

HTTP::header insert XClientSSL_Issuer [lindex $values 1]

log local0. "Inserting Issuer [lindex $values 1]"

HTTP::header insert XClientSSL_Subject [lindex $values 2]

log local0. "Inserting Subject [lindex $values 2]"

HTTP::header insert XVersion [lindex $values 3]

log local0. "Inserting Version [lindex $values 3]"

}

}

}

}

ltm virtual /Common/xxxx_VS_y.y.y.y {

destination /Common/y.y.y.y:443

http-class {

/Common/xxxx

}

ip-protocol tcp

mask 255.255.255.255

pool /Common/xxxx_NET_POOL

profiles {

/Common/xxxx_TCP_profile { }

/Common/xxxx {

context clientside

}

/Common/xxxxx {

context serverside

}

/Common/http_x_forwarded_for { }

}

rules {

/Common/insert_ssl_session_id

}

snat automap

translate-address enabled

translate-port enabled

vlans {

/Common/xxx

}

vlans-enabled

}

ltm profile client-ssl /Common/xxxxx_client {

app-service none

cert /Common/xxxxx_cert.crt

defaults-from /Common/clientssl

key /Common/xxxxx_cert.key

options { no-session-resumption-on-renegotiation }

renegotiate-max-record-delay 100

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation request

}
garfield831_116
Nimbostratus
Mar 08, 2013
What is also very interesting, we made 4 probes today

I see in logs

Mar 8 09:55:29 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Commonxxxx_net_clie

Mar 8 09:58:27 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

Mar 8 10:01:19 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

Mar 8 10:09:14 tmm warning tmm[32185]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

1 was establishment

2 and 3 was RESUMPTION

4 was establishment

nitass

Employee

Mar 09, 2013

i do not get "Self-initiated renegotiation attempted while renegotiation disabled" log in my lab. is there anything i missed?

this is my setting.

root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    807.0
  Edition  Hotfix HF1
  Date     Tue Oct  2 10:46:52 PDT 2012

Hotfix List
ID395272  ID397435  ID397882  ID397981

root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.119:443
    http-class {
        myhttpclass
    }
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        insert_ssl_session_id
    }
    snat automap
    vlans-disabled
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile httpclass myhttpclass
ltm profile httpclass myhttpclass {
    app-service none
    asm enabled
    defaults-from httpclass
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
        }
    }
}
ltm profile client-ssl myclientssl {
    app-service none
    options { no-session-resumption-on-renegotiation }
    renegotiate-max-record-delay 100
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    secure-renegotiation request
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule insert_ssl_session_id
ltm rule insert_ssl_session_id {
    when CLIENT_ACCEPTED {
  log local0. "--"
}
when CLIENTSSL_HANDSHAKE {
  log local0. "SSL session Id [SSL::sessionid]"
}
when CLIENTSSL_CLIENTCERT {
  log local0. "SSL session Id [SSL::sessionid]"

  set cert [SSL::cert 0]
  set sn [X509::serial_number $cert]
  set subject [X509::subject $cert]
  set issuer [X509::issuer $cert]
  set version [X509::version $cert]
  session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800
}

when HTTP_REQUEST {
  log local0. ""
  log local0. "URI [HTTP::uri]"

  if { [SSL::cert count] < 1 } {
    SSL::authenticate once
    SSL::authenticate depth 9
    SSL::cert mode request
    SSL::renegotiate
    log local0. "SSL::renegotiate"
  } else {
    set values [session lookup uie [SSL::sessionid] ]
    if { [lindex $values 0] != "" } {
      HTTP::header insert XClientSSL_Serial [lindex $values 0]
      log local0. "Inserting Serial [lindex $values 0]"

      HTTP::header insert XClientSSL_Issuer [lindex $values 1]
      log local0. "Inserting Issuer [lindex $values 1]"

      HTTP::header insert XClientSSL_Subject [lindex $values 2]
      log local0. "Inserting Subject [lindex $values 2]"

      HTTP::header insert XVersion [lindex $values 3]
      log local0. "Inserting Version [lindex $values 3]"
    }
  }
}
}

 /var/log/ltm

[root@ve1121:Active:Standalone] config  tail -f /var/log/ltm
Mar  9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b7b9c9e90e8b51ea846bd8eecda30b2eabf91a5de694dc878c
Mar  9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b8b9c9e90e8b51ea846bd8eecda30b2eaaf91a5de694dc8780
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b9b9c9e90e8b51ea846bd8eecda30b2ea9f91a5de694dc8786
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id :
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI /
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL::renegotiate
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id :
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI /f5.gif
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Serial 01
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Issuer CN=caroot.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Subject CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Version 3

Forum Discussion

SSL persistent& resumption - why doesnt work

14 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

TLS Stateful vs Stateless Session Resumption

Decoding the IPv4 address from the persistence cookie

Setting up persistence in F5 XC

SOCKS5 SSL Persistence

Source_Addr Persistence Problems