Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
Mar 26, 2014

Differentiate between client-initiated and server-initiated SSL renegotiations

Hi!   I'm trying to configure my F5 LTM 11.3 to be able to allow server-initiated SSL renegotiations but reject client-initiated SSL renegotiations. In the clientssl profile I've configured a rene...
application delivery
devops
iRules
LTM
security
ssl
TMOS
Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus

Thanks, I'll have a look to all those links.

 

Filip_Verlaeckt's avatar
Filip_Verlaeckt
Historic F5 Account
May 22, 2014
Hello, I want to achieve the same thing as described ny Angel Lopez. The point is that I need to block client-to-BIGIP initiated renegotiations while allowing BIGIP-to-client initiated ones (these renegotiations are triggered by an iRule). Although the SSL reneg rate limiting iRule is a good solution it is not good enough for my usecase. Let me explain. Customer is using SSLlabs (https://www.ssllabs.com/ssltest/) to get a summary of the SSL security posture of their site. The use this result to help differentiate their service from competition. This test merely checks if the site allows ssl reneg. As the result is positive it marks this as a negative result. The way around would be to block these client initiated renegs but therefore I need to be able to differentiate.