I ran a test against our site with the SSLlabs tool, and one thing it lists as orange is: Session resumption (caching) Is there an option to add this?

Hi Nick, See if this article helps you... https://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html Regards, Seth

The f5 does perform SSL session resumption when using client-ssl profiles (http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html). Can you share the config for the SSL virtual server that is configured for the site?

for my SSL profile, I'm inheriting all the defaults minus a few things ltm profile client-ssl /Common/clientssl-mine { app-service none ciphers !COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4 defaults-from /Common/clientssl renegotiation disabled }

Session resumption (caching)

9 Replies

Seth_Cooper
Employee
Jul 24, 2014
Hi Nick,

See if this article helps you...

https://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html

Regards,

Seth
shaggy
Nimbostratus
Jul 24, 2014
The f5 does perform SSL session resumption when using client-ssl profiles (http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html). Can you share the config for the SSL virtual server that is configured for the site?
- Nick_T_68319
  Nimbostratus
  Jul 24, 2014
  for my SSL profile, I'm inheriting all the defaults minus a few things ltm profile client-ssl /Common/clientssl-mine { app-service none ciphers !COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4 defaults-from /Common/clientssl renegotiation disabled }
shaggy_121467
Cumulonimbus
Jul 24, 2014
The f5 does perform SSL session resumption when using client-ssl profiles (http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html). Can you share the config for the SSL virtual server that is configured for the site?
- Nick_T_68319
  Nimbostratus
  Jul 24, 2014
  for my SSL profile, I'm inheriting all the defaults minus a few things ltm profile client-ssl /Common/clientssl-mine { app-service none ciphers !COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4 defaults-from /Common/clientssl renegotiation disabled }
adharkrader
Nimbostratus
Jan 27, 2015
I have the same issue: clientssl profile has SSL caching 20K, timeout 3600 (on an 11.4 system).

SSL Labs says: Session resumption (caching): No (IDs assigned but not accepted)

???
RobertS1
Nimbostratus
Aug 12, 2016
I have the same issue. There is a SOL that recommends to use 1 clientssl per VIP. This solved the issue temporarily for about 30 minutes. Then I ran SSLLABS again and the issue was back. Its something with caching I think. Caching is set to default, I changed it but this has no effect. (On 11.6.1)

Any tips, ideas are more than welcome!
RobertS1
Nimbostratus
Aug 12, 2016
The cipher is not the cause. I use this cipher on many sites and everywhere else session resumption is working.
Juraj
Cirrus
May 02, 2017
I have the same issue. K6767 says:

When more than one SSL profile is configured without mutually exclusive session cache limits, contention in the shared global cache may cause entries for one virtual server to be evicted in favor of another even if fewer than the maximum configured for that profile are cached. To avoid this possibility, consider limiting the total combined configured session size for all SSL profiles to the value of the global session cache size. For example, if you have four SSL profiles in use on a single TMM BIG-IP running 10.1.0 or later, you may want to consider configuring the session Cache Size setting for each profile to 65,536 (25 percent of the global cache size of 262,144).

I have two active
clientssl
profiles (
tmsh list ltm profile client-ssl PROFILE_NAME cache-size
) :

ltm profile client-ssl profile1_clientssl { cache-size 262016 } ltm profile client-ssl profile2_clientssl { cache-size 128 }

So, the total is 262144. But I still get:

Session resumption (caching):No (IDs assigned but not accepted)