Forum Discussion
NimbostratusRegarding SSL session ID persistence
Hi All,
We are having issue with one of the application which seems to be using SSLv3 and low cipher value. Due to this when the source server tries to connect to VIP the connection disconnects or having issue (as 11.5.1 doesn't support sslv3 or MD5 or low cipher values). So we are planning of instead of ssl offloading we will create layer 4 VIP and use SSL session ID persistence. But as per SOL: https://support.f5.com/kb/en-us/solutions/public/3000/000/sol3062.html it seems there is issue with some versions of IE. So just wanted to check if any one using ssl persistence and faced any issue?
Thanks.
2 Replies
- Kevin_Stewart
Employee
I'd personally focus more on making it work with SSL decryption at the LTM VIP. 11.5 will indeed support SSLv3, but you need to add it manually to your SSL profile cipher string.
Otherwise SSL sessionid persistence can only work in very limited scenarios. The problem is that modern browsers, all modern browsers, will at given intervals renegotiate SSL. That renegotiation will change the session ID. The only "clients" I've encountered that don't do this are some Citrix and Java clients. You're only other option, should you choose to tunnel SSL, is client source address affinity.
- Kevin_Stewart
It's all about OSI layers. You can absolutely do source IP address affinity because IPs are layer 3 and SSL doesn't happen until layer 6. You cannot, however, do X-Forwarded-For headers because that is HTTP (layer 7), which you can't have access to unless you decrypt the SSL (layer 6).
