For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Feb 09, 2012

ending SSL session

i'm looking for a different way of completely ending a SSL session or having a totally new (including full handshake) session started. as pointed out in the thread below the SSL:session invalidate doesn't seem to behave as expected. especially in CMP mode the session often remains active.

 

 

has anyone experienced this before and / or found another way to activally end SSL sessions or force the start of a new SSL session?

 

 

thread which discusses SSL::session invalidate issue

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1180464/showtab/groupforums/Default.aspx

 

 

application delivery
dev
devops
iRules

5 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2012
    Hi Boneyard,

     

     

    If the devices you are using are also multi-processor then you might want to open up a case to see if they have created a fix for this bug yet. Perhaps it has been released in a later HF for v10.2.2. I know at this point they are up to HF4 969.0 and the post that you referenced is from July of 2011.

     

     

    Also, depending on how abrupt you want to be with the connection you could try an SSL::disable followed by a reject to kill the session and connection.

     

     

    Similar to this post: How To Avoid SSL Handshake When No Pool Member Available.

     

     

    Hope this helps.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2012
    Hi Boneyard,

     

     

    As Michael said, I'd open a case with F5 Support to get an official response on this. If you do, please reply back with the case number.

     

     

    Thanks, Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2012
    Actually, I found the bug:

     

     

    BZ365698 - ssl::invalidate does not work correctly on CMP environment

     

     

    I'd open a case with Support and ask for an engineering hotfix be provided for you.

     

     

    Aaron
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 20, 2012
    seems there is an engineering hotfix for 10.2.2 hf1 / 10.2.3 available, looking into getting that.

     

     

    as for the SSL::disable and reject, that probably requires client side action to continue further right? a http session would be interupted to the point that a client has to refresh the page manually?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 20, 2012
    I'd get the engineering hotfix. Short of that, I can't think of a simple, efficient way to work around the issue.

     

     

    Aaron