Emulate SSL persistenc profile for LTM terminated SSL

If SSL is terminated on the LTM, then usually there is something to persist on in the higher-level protocol. For HTTP, you could use cookie persistence. Lacking that, you could persist on the source address or the SSL session id; however, there are caveats associated with both approaches. To emulate SSL session id persistence, you can do something like this:

persist uie [SSL::session_id]

What are the caveats of SSL session persistence?

 

 

I've read about the SSL cert being renegotiated by IE every 2 minutes? When this happens, will you lose the persistence?

 

 

It is critical that the persistence is not lost. Unfortunately, the requirement to use browser cookies is not desirable in our situation.

 

 

I believe this leaves us with source IP persistence as the only workable solution? Can anyone confirm?

 

 

Thanks!

If SSL is not terminated on the BIG-IP, then you are correct. Persistence is lost is the session is renegotiated. As I recall, the problem is that the renegotiation is encrypted so BIG-IP has no way of knowing what the new session id is. However, there is no problem if the BIG-IP is terminating the SSL.

I've tried using the following syntax for a new iRule and am recieving an error.

 

 

when CLIENTSSL_HANDSHAKE {

 

 

persist uie [SSL::session_id]

 

 

}

 

 

01070151:3: Rule [PersistSSL] error:

 

line 3: [undefined procedure: SSL::session_id] [SSL::session_id]

 

 

I believe we're close, I appreciate your help!

 

 

Travis

Try SSL::sessionid.

01070088:3: The requested object name (Persist SSL SessionID) is invalid.

 

 

Perhaps this is not available in the 1500 LTD version?

 

 

Thanks!

Are you trying to name the rule "Persist SSL SessionId"? The above error looks like a problem with the configuration system. I don't think it has anything to do with the SSL::sessionid rule command. Please try again. Maybe try a simpler name.

Silly mistake.. thanks for your patience. The rule was accepted now.

 

 

I was speaking with a tech resource from F5 earlier and he was pretty sure that the SSL persistence will be lost during renegotiation. (Regardless of termination)

 

 

He is in the process of researching that issue for me. Are you 100% sure that it will not lose persistence when terminated? I'm trying it now.

 

 

Thanks!

Lots of conflicting info regarding LTM terminated SSL....

 

 

Can anyone explain the difference between these four rules, and which one will actually provide persistance for an LTM terminated SSL session?

 

 

Also, can anyone provide guidance regarding when to use "SSL::current_sessionid" vs. "SSL::sessionid" vs. "SSL::modssl_sessionid_headers" ?

 

 

1:

 

rule insert-and-persist-ssl-sessionid {

 

when HTTP_REQUEST {

 

HTTP::header insert ses_num SSL::current_sessionid

 

persist ssl

 

}

 

}

 

 

2:

 

rule insert-and-persist-ssl-sessionid {

 

when HTTP_REQUEST {

 

HTTP::header insert ses_num SSL::current_sessionid

 

persist uie

 

}

 

}

 

 

3:

 

rule insert-and-persist-ssl-sessionid {

 

when CLIENTSSL_HANDSHAKE {

 

persist uie [SSL::current_sessionid]

 

}

 

}

 

 

4:

 

rule insert-and-persist-ssl-sessionid {

 

when CLIENTSSL_HANDSHAKE {

 

persist ssl [SSL::current_sessionid]

 

}

 

}

 

 

Thank you

I think I can help. First, there is no such command as SSL::current_sessionid in BIG-IP 9.x. SSL::sessionid returns the negotiated session id encoded as a hex string. SSL::modssl_sessionid_headers takes two subcommands, initial or current.

SSL::modssl_sessionid_headers initial

returns the list { SSLClientSessionId } where is the session id requested by the client.

SSL::modssl_sessionid_headers current

returns the list { SSLClientCurrentSessionId } where is the session id that is actually used, i.e. the one returned by the server.

These lists are intended for use by HTTP::header insert.

Now, most of your rules are syntax errors since SSL::current_sessionid is not a valid command and persist uie requires an argument. Are you trying to persist on the SSL session id or are you attempting to insert the session id as an HTTP request header?

To persist on the SSL session id, configure a persistence profile for SSL session id persistence and assign it to the virtual. If this is the only persistence profile on the virtual, then there is no need for an iRule. The uie example that I provided earlier should work, but it's not necessary. I was confused by your question about emulating the persistence profile in a rule. The interesting point is that just about any persistence mode can be emulated with a UIE rule. I hope this helps...