Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
Mar 26, 2014

Differentiate between client-initiated and server-initiated SSL renegotiations

Hi!   I'm trying to configure my F5 LTM 11.3 to be able to allow server-initiated SSL renegotiations but reject client-initiated SSL renegotiations. In the clientssl profile I've configured a rene...
application delivery
devops
iRules
LTM
security
ssl
TMOS
Brett_Prucha's avatar
Brett_Prucha
Icon for Nimbostratus rankNimbostratus

I followed the iRule as described in:

 

https://devcentral.f5.com/articles/ssl-renegotiation-dos-attack-ndash-an-irule-countermeasure

 

Except I used the code in the CLIENTSSL_HANDSHAKE event in the CLIENTSSL_CLIENTHELLO event instead. Also instead of using the maxquery variable of 5 I set it to 1 and added an additional flag in the if condition that references that variable that I set when I request renegotiation on the server side. That ensures renegotiation only occurs when initiated by the server.

 

I tested it using SSLyze --reneg and confirmed it blocked client side renegotiation.

 

https://github.com/nabla-c0d3/sslyze

 

 

 

Brett_Prucha's avatar
Brett_Prucha
Icon for Nimbostratus rankNimbostratus
Jul 29, 2019
when CLIENT_ACCEPTED { 
  set rand [expr { int(10000000 * rand()) }] 
} 
when CLIENTSSL_CLIENTHELLO { 
  set reqno [table incr "reqs$rand"] 
  table set -subtable "reqrate:$rand" $reqno "ignored" indefinite $static::seconds 
  if { ![info exists server_renegotiate] and [table keys -count -subtable "reqrate:$rand"] > 1 } { 
    after 5000 
    drop 
  } 
} 
when CLIENT_CLOSED { 
  table delete reqs$rand 
  table delete –subtable reqrate:$rand –all 
}