Forum Discussion
NimbostratusSSL persistent& resumption - why doesnt work
Hi All,
It's my first post here
I have project where client connect to server through F5
F5 makes decryption, WAF and then re-encryption and send traffic to one of node
Our requirement is that:
When client connect to VIP first time application create normal SSL connection (establishment) but if the same client want to connect another time for example in a 10 minutes then in a 20 minutes client should resumption existing session
We will pay for each byte so thats why I want use SSL persistent (with ssl resumption)
I read that for traffic that is decrypt and re-encrypt only option is write iRule
I have created something like this:
https://devcentral.f5.com/tech-tips/articles/cert-information-in-your-http-headers.UTfd3Vd224o
but without success
What should I add ?
version is BIG-IP 11.2.1 Build 807.0 Hotfix HF1
Thanks for any help
Marcin
14 Replies
- Kevin_Stewart
Employee
The problem with SSL persistence is that it will either time out or eventually get renegotiated by either the client or the server. Browser are especially prone to SSL renegotiation, so SSL persistence is generally not a good persistence mechanism for web traffic. If you need to keep persistence over some very long period of time, and this is all exclusively browser-based traffic, I'd highly recommend persistent HTTP cookies. Create a cookie persistence profile and modify the expiration values, then apply that persistence profile to the virtual server. - Kevin_StewartI should also mention that if the client keeps the same browser open over that 10-20 minute period, then you could probably get away with session-based (in-memory) cookies.
garfield831_116client is special device not web browser, cookies are not supported,- Kevin_StewartWell then the question becomes whether or not the client initiates SSL renegotiations. I've encountered a few client apps, like Citrix Receiver, that will maintain a long-running SSL session, so it's completely possible. If you enable SSL sessionid persistence at the virtual server you can monitor it with an iRule using the SSL::sessionid command.
- garfield831_116Thanks,
so as I understand iRule from mentioned example should fix this issue ?
But its not :( - nitasssorry, not sure if i am lost. i do not see you mention you are doing client certificate authentication which the irule does.
I read that for traffic that is decrypt and re-encrypt only option is write iRulei do not think irule is required. doesn't using clientssl and serverssl profiles work?
but without successwhat is the problem/error? - garfield831_116i have client and server ssl profile, i dont have certificate authentication
I need enable ssl resumption (which is part of ssl persistent) - its from official f5 docu
Now each connection generate a lot of traffic (only sometimes new connection using earlier negotiated SSL connection - randomly) - garfield831_116in logs i see something like this:
tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled:
but renegotiation is enabled - nitasstmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled:
but renegotiation is enabledit is enabled on both clientssl and serverssl profiles, isn't it? - garfield831_116Yes its enabled for both profiles but I think that server profile configuration is not important in this case. Correct ?
