Forum Discussion

vaesh_95620's avatar
vaesh_95620
Icon for Nimbostratus rankNimbostratus
Dec 08, 2010

SSL Persistence with clientSSL profile

Hello-

 

 

I've read the various documentation that states that SSL persistence only works for non-terminated SSL sessions. However what I find confusing is that we do, in fact, in my environment have SSL persistence turned on for virtuals that are terminating SSL. And, it does seem to be persisting.

 

 

 

When I issue a "b persist show | grep ssl" I get records for non-terminated and terminated SSL sessions. So, my question is, if SSL persistence doesn't work for terminated SSL sessions than by what means is the LTM creating and persisting this sessions??

 

 

 

Thanks-

 

1 Reply

  • Hi Vaesh,

     

     

    That was true in 4.x, but in 9+, the following applies:

     

     

     

    SOL3062: Using SSL (Session ID) persistence

     

    http://support.f5.com/kb/en-us/solutions/public/3000/000/sol3062.html

     

     

    You can use SSL persistence with the following configurations:

     

     

    * With an SSL virtual server, when the nodes are configured with the SSL certificate.

     

    * With a virtual server configured with a clientssl profile, when the BIG-IP system terminates SSL connections.

     

     

    You cannot use SSL persistence with the following configurations:

     

     

    * With a virtual server configured with a serverssl profile. If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.

     

    * With a virtual server configured for Client Authentication. For example, if the clientssl profile is configured to request a client ssl certificate for client authentication you cannot use SSL persistence.

     

     

     

    Aaron