Forum Discussion

boneyard's avatar
Feb 09, 2012

ending SSL session

i'm looking for a different way of completely ending a SSL session or having a totally new (including full handshake) session started. as pointed out in the thread below the SSL:session invalidate doesn't seem to behave as expected. especially in CMP mode the session often remains active.



has anyone experienced this before and / or found another way to activally end SSL sessions or force the start of a new SSL session?



thread which discusses SSL::session invalidate issue



5 Replies

  • Hi Boneyard,



    If the devices you are using are also multi-processor then you might want to open up a case to see if they have created a fix for this bug yet. Perhaps it has been released in a later HF for v10.2.2. I know at this point they are up to HF4 969.0 and the post that you referenced is from July of 2011.



    Also, depending on how abrupt you want to be with the connection you could try an SSL::disable followed by a reject to kill the session and connection.



    Similar to this post: How To Avoid SSL Handshake When No Pool Member Available.



    Hope this helps.


  • Hi Boneyard,



    As Michael said, I'd open a case with F5 Support to get an official response on this. If you do, please reply back with the case number.



    Thanks, Aaron
  • Actually, I found the bug:



    BZ365698 - ssl::invalidate does not work correctly on CMP environment



    I'd open a case with Support and ask for an engineering hotfix be provided for you.



  • seems there is an engineering hotfix for 10.2.2 hf1 / 10.2.3 available, looking into getting that.



    as for the SSL::disable and reject, that probably requires client side action to continue further right? a http session would be interupted to the point that a client has to refresh the page manually?
  • I'd get the engineering hotfix. Short of that, I can't think of a simple, efficient way to work around the issue.