Forum Discussion

Damien_Turner_1's avatar
Damien_Turner_1
Icon for Nimbostratus rankNimbostratus
Sep 01, 2010

SSL iRule to disable renegotiate

Hi all, I was wondering if I could have some help?

I'm running LTM 9.4.8 HF4 and I need to fix the SSL renegotiate issue as I'm not keen on going to v10, after looking in the forums and ask F5 I found this iRule to stop the SSL renegotiate....

when CLIENTSSL_HANDSHAKE priority 1 {
 SSL::renegotiate disable
 
 Uncomment the line below to turn on logging.
 log local0.  "SSL Renegotiate Disabled!!"
}
This looks really simple so I've tried it out and if I turn on loging I can see the iRule is being called but I'm still failing the renegotiate test on firefox and my PCI scanning, I have put the iRUle on my virtual server which is terminating the SSL.
HAve i got the iRule running in the right place?, I also have a LTM controlling my incoming links should it be on this virtual server instead?
Thank you in advance
Damien
application delivery
dev
devops
iRules
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Sep 01, 2010
    "LTM controlling my incoming links" can you explain your topology with a little bit more detail? Is that other LTM inline or are you SNATing traffic?

     

     

  • Damien_Turner_1's avatar
    Damien_Turner_1
    Icon for Nimbostratus rankNimbostratus
    Sep 01, 2010
    Hi no probs, I have a 3400 GTM/LTM (9.4.8 HF4) with virtual servers (one for port 80 and one for 443) for each address which then passes through a firewall to the external addresses on my 6400 LTM which then terminate and pass to a pool.

     

    Example would be 62.254.236.149:443 (on GTM/LTM)-> 192.168.2.149:443 (on LTM) -> pool using port 80.

     

     

    Does this help?

     

     

    Damien