Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
Apr 15, 2014

SSL client certificate authentication frequency and SSL Session ID

Hi,

 

I'm trying to write a very simple iRule to insert SSL Session ID value in HTTP request header. I require the client authentication in the Virtual Server sslclient profile and I've noticed that the F5 generate and send the Session ID value in the ServerHello SSL message only if a configure the frequency for the client authentication to a value of "once", if I set it to "always" then the Session ID is always empty.

 

I guess that when I set it to "always" the Session ID value is empty because the F5 doesn't want to reuse the session in any case and prefers a full handshake with the client, but I'm not sure of this.

 

Can anyone explain why the SSL Session ID is empty or has a value depending on the client authentication frequency parameter?

 

Thanks!

 

application delivery
devops
iRules
LTM
ssl
ssl client authentication
ssl::sessionid
  • Angel_Lopez_116's avatar
    Angel_Lopez_116
    Icon for Altostratus rankAltostratus
    Apr 16, 2014

    Yes, after reading "7.4.1.3. Server hello" information about SessionID I think that the behaviour of BIG-IP is clear. Thanks.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 15, 2014

    Can anyone explain why the SSL Session ID is empty or has a value depending on the client authentication frequency parameter?

    i understand null session id is used because bigip requires client authentication fro each connection (always).

    The server may return an empty session_id to indicate that the session will not be cached and therefore cannot be resumed.

    The TLS Protocol Version 1.0

    https://www.ietf.org/rfc/rfc2246.txt