Forum Discussion

mbehring_108094's avatar
mbehring_108094
Icon for Nimbostratus rankNimbostratus
Oct 01, 2007

Problems with ssl_session_id Check

Hi,

 

 

we terminate our ssl Traffic directly on the ltm. From the Ltm

 

to the node of our cluster it's unencrypted. Now we use a webcms System wich checks

 

the ssl_session_id on the several node. When a session exist the cms knows that it's https, when not then it starts a redirection to https. But because of the ssl encryption on the ltm the session_id only exist on the ltm not on the node. Is there a solution to fake the session on the node, or to set a static session_id?

 

 

check from the cms:

 

 

return $_SERVER['SSL_SESSION_ID'] || !strcmp($_SERVER['HTTPS'],'on') ? TRUE : FALSE;

 

 

Thanks

 

 

dev
devops
iControl

2 Replies

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Oct 02, 2007
    If all you are doing is looking for a header of "SSL_SESSION_ID" or "HTTPS" you can easily add them with an iRule

    when HTTP_REQUEST {
   Set the SSL_SESSION_ID header value to "12345"
  HTTP::header add "SSL_SESSION_ID" 12345
   or set the SERVER header to "on"
  HTTP::header add "HTTPS" "on"
}

    So now all requests will have the two headers being sent to your backend application regardless of whether it came from the client over HTTPS.

    I have no idea what this will do with your web server though. I'd make sure that if these headers don't trigger your webserver into thinking that it's really a HTTPS connection and try to decrypt the traffic, etc.

    -Joe
  • mbehring_108094's avatar
    mbehring_108094
    Icon for Nimbostratus rankNimbostratus
    Oct 04, 2007
    Hi,

     

     

    thanks for the tip. We have solved the problem with a little new apache

     

    module wich fakes the ssl_session_id even when a connect over the port

     

    443 starts....

     

     

    Greets Maik