More on SSLLabs rating - Secure Client-Initiated Renegotiation

Employee

Apr 28, 2014

can you try to disable renegotiation?

e.g.

 renegotiation is enabled (default)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 9
}

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B4139E605CD1C37DF7A0F18B4E399A2581AC7F190A8740FC3DCF1
    Session-ID-ctx:
    Master-Key: CE63065E8426FA7BE9D632B319EFFE4D5EA884891466706E39264AB8A9AD98942216F4F025DE20580A19160FDB2A0086
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1398746038
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1

 renegotiation is disabled

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 9
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-certkeychain true
    renegotiation disabled
}

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B413AE605CD1C37DF7B0F93CF6BA1292392CFF190A8740FC3DCCE
    Session-ID-ctx:
    Master-Key: F62821AA6B19FFFC0960A2BD9DB155E285F450D93CB73FD6936D124E2FA938ADFABFDEBDC63CE3C11914B9966606B01D
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1398746099
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
16040:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
16040:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

Forum Discussion

More on SSLLabs rating - Secure Client-Initiated Renegotiation

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

[ASM] : "Request length exceeds defined buffer size " - How to increase the limit ?

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

Problem with sending BotDefense logs to remote server

ASM/AWAF declarative policy

Managing iRules configuration

Related Content

SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark

SSL Profiles Part 6: SSL Renegotiation

client-initiated SSO issue

SSL Ciphers (SSLLabs) Warning

SSL renegotiation DOS mitigation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS