Client SSL Profile - Renegotiation setting

Question

I am looking at the subtleties of the Renegotiation setting in the Client SSL Profile at the moment. &nbsp;
&nbsp;Can someone please tell me the difference between...&nbsp;
&nbsp;     1. Not ticking the Custom tick box for the Renegotiation setting - ie leaving the Renegotiation setting grayed out
&nbsp;     2. Ticking the Custom tick box for the Renegotiation setting but leaving the Renegotiation tick box unticked - ie specifically disabling Renegotiation &nbsp;
&nbsp;?&nbsp;
&nbsp;The Help for Renegotiation says... &nbsp;
&nbsp;Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default is disabled. &nbsp;
&nbsp;If I check the bigip.conf when I implement the two scenarios above I can see that for scenario 1 the config states       &nbsp;
&nbsp;     renegotiate disable &nbsp;
&nbsp;but in scenario 2 the profile has no mention of renegotiate - does this mean renegotiation is disabled?&nbsp;
&nbsp;Regards,&nbsp;
&nbsp;fergu5&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi fergu5, 
&nbsp;  
&nbsp; There is a subtle difference between 1 and 2.  For 1 if someone changes the parent profile's Renegotiation setting, the child profile will inherit that change.  If you click the customize but leave the Renegotiation option unchecked then this profile won't inherit the setting from the parent profile. 
&nbsp;  
&nbsp; Aaron

magnum_ip · Answer

Thanks Hoolio, that's got it clear in my head now. &nbsp;&nbsp;
&nbsp;Thanks for overlooking my number typo too. &nbsp;
&nbsp;The last few lines of my original post should have read... &nbsp;&nbsp;     If I check the bigip.conf when I implement the two scenarios above I can see that for scenario 2 the config states &nbsp;
&nbsp;          renegotiate disable &nbsp;
&nbsp;     but in scenario 1 the profile has no mention of renegotiate - does this mean renegotiation is disabled?&nbsp;
&nbsp;Regards,&nbsp;
&nbsp;fergu5&nbsp;&nbsp;

hooleylist · Answer

I got the gist of the question anyhow :) 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Client SSL Profile - Renegotiation setting

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

iControl REST / Change a setting in ASM logging profile

Re: SSL Renegotiation DOS attack – an iRule Countermeasure

What is HTTP Part V - HTTP Profile Basic Settings

SSL renegotiation DOS mitigation