Forum Discussion

vaesh_95620's avatar
Icon for Nimbostratus rankNimbostratus
Dec 08, 2010

SSL Persistence with clientSSL profile




I've read the various documentation that states that SSL persistence only works for non-terminated SSL sessions. However what I find confusing is that we do, in fact, in my environment have SSL persistence turned on for virtuals that are terminating SSL. And, it does seem to be persisting.




When I issue a "b persist show | grep ssl" I get records for non-terminated and terminated SSL sessions. So, my question is, if SSL persistence doesn't work for terminated SSL sessions than by what means is the LTM creating and persisting this sessions??






1 Reply

  • Hi Vaesh,



    That was true in 4.x, but in 9+, the following applies:




    SOL3062: Using SSL (Session ID) persistence




    You can use SSL persistence with the following configurations:



    * With an SSL virtual server, when the nodes are configured with the SSL certificate.


    * With a virtual server configured with a clientssl profile, when the BIG-IP system terminates SSL connections.



    You cannot use SSL persistence with the following configurations:



    * With a virtual server configured with a serverssl profile. If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.


    * With a virtual server configured for Client Authentication. For example, if the clientssl profile is configured to request a client ssl certificate for client authentication you cannot use SSL persistence.