Nimbostratus

Mar 07, 2013

SSL persistent& resumption - why doesnt work

Hi All,

It's my first post here

I have project where client connect to server through F5

F5 makes decryption, WAF and then re-encryption and send traffic to one of node

Our requirement is that:

When client connect to VIP first time application create normal SSL connection (establishment) but if the same client want to connect another time for example in a 10 minutes then in a 20 minutes client should resumption existing session

We will pay for each byte so thats why I want use SSL persistent (with ssl resumption)

I read that for traffic that is decrypt and re-encrypt only option is write iRule

I have created something like this:

https://devcentral.f5.com/tech-tips/articles/cert-information-in-your-http-headers.UTfd3Vd224o

but without success

What should I add ?

version is BIG-IP 11.2.1 Build 807.0 Hotfix HF1

Thanks for any help

Marcin

14 Replies

nitass
Employee
Mar 08, 2013
I think that server profile configuration is not important in this case. Correct ?
after researching again, yes i agree.

would it be possible to post your virtual server, ssl profile and irule configuration here?
garfield831_116
Nimbostratus
Mar 08, 2013
I changed some names and IPs to xxxx

ltm rule /Common/insert_ssl_session_id {

when CLIENTSSL_CLIENTCERT {

set cert [SSL::cert 0]

set sn [X509::serial_number $cert]

set subject [X509::subject $cert]

set issuer [X509::issuer $cert]

set version [X509::version $cert]

session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800

}

when HTTP_REQUEST {

if { [SSL::cert count] < 1 } {

SSL::authenticate once

SSL::authenticate depth 9

SSL::cert mode request

SSL::renegotiate

} else {

set values [session lookup uie [SSL::sessionid] ]

if { [lindex $values 0] != "" } {

HTTP::header insert XClientSSL_Serial [lindex $values 0]

log local0. "Inserting Serial [lindex $values 0]"

HTTP::header insert XClientSSL_Issuer [lindex $values 1]

log local0. "Inserting Issuer [lindex $values 1]"

HTTP::header insert XClientSSL_Subject [lindex $values 2]

log local0. "Inserting Subject [lindex $values 2]"

HTTP::header insert XVersion [lindex $values 3]

log local0. "Inserting Version [lindex $values 3]"

}

}

}

}

ltm virtual /Common/xxxx_VS_y.y.y.y {

destination /Common/y.y.y.y:443

http-class {

/Common/xxxx

}

ip-protocol tcp

mask 255.255.255.255

pool /Common/xxxx_NET_POOL

profiles {

/Common/xxxx_TCP_profile { }

/Common/xxxx {

context clientside

}

/Common/xxxxx {

context serverside

}

/Common/http_x_forwarded_for { }

}

rules {

/Common/insert_ssl_session_id

}

snat automap

translate-address enabled

translate-port enabled

vlans {

/Common/xxx

}

vlans-enabled

}

ltm profile client-ssl /Common/xxxxx_client {

app-service none

cert /Common/xxxxx_cert.crt

defaults-from /Common/clientssl

key /Common/xxxxx_cert.key

options { no-session-resumption-on-renegotiation }

renegotiate-max-record-delay 100

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation request

}
garfield831_116
Nimbostratus
Mar 08, 2013
What is also very interesting, we made 4 probes today

I see in logs

Mar 8 09:55:29 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Commonxxxx_net_clie

Mar 8 09:58:27 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

Mar 8 10:01:19 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

Mar 8 10:09:14 tmm warning tmm[32185]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

1 was establishment

2 and 3 was RESUMPTION

4 was establishment

nitass

Employee

Mar 08, 2013

i do not get "Self-initiated renegotiation attempted while renegotiation disabled" log in my lab. is there anything i missed?

this is my setting.

root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    807.0
  Edition  Hotfix HF1
  Date     Tue Oct  2 10:46:52 PDT 2012

Hotfix List
ID395272  ID397435  ID397882  ID397981

root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.119:443
    http-class {
        myhttpclass
    }
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        insert_ssl_session_id
    }
    snat automap
    vlans-disabled
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile httpclass myhttpclass
ltm profile httpclass myhttpclass {
    app-service none
    asm enabled
    defaults-from httpclass
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
        }
    }
}
ltm profile client-ssl myclientssl {
    app-service none
    options { no-session-resumption-on-renegotiation }
    renegotiate-max-record-delay 100
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    secure-renegotiation request
}
root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule insert_ssl_session_id
ltm rule insert_ssl_session_id {
    when CLIENT_ACCEPTED {
  log local0. "--"
}
when CLIENTSSL_HANDSHAKE {
  log local0. "SSL session Id [SSL::sessionid]"
}
when CLIENTSSL_CLIENTCERT {
  log local0. "SSL session Id [SSL::sessionid]"

  set cert [SSL::cert 0]
  set sn [X509::serial_number $cert]
  set subject [X509::subject $cert]
  set issuer [X509::issuer $cert]
  set version [X509::version $cert]
  session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800
}

when HTTP_REQUEST {
  log local0. ""
  log local0. "URI [HTTP::uri]"

  if { [SSL::cert count] < 1 } {
    SSL::authenticate once
    SSL::authenticate depth 9
    SSL::cert mode request
    SSL::renegotiate
    log local0. "SSL::renegotiate"
  } else {
    set values [session lookup uie [SSL::sessionid] ]
    if { [lindex $values 0] != "" } {
      HTTP::header insert XClientSSL_Serial [lindex $values 0]
      log local0. "Inserting Serial [lindex $values 0]"

      HTTP::header insert XClientSSL_Issuer [lindex $values 1]
      log local0. "Inserting Issuer [lindex $values 1]"

      HTTP::header insert XClientSSL_Subject [lindex $values 2]
      log local0. "Inserting Subject [lindex $values 2]"

      HTTP::header insert XVersion [lindex $values 3]
      log local0. "Inserting Version [lindex $values 3]"
    }
  }
}
}

 /var/log/ltm

[root@ve1121:Active:Standalone] config  tail -f /var/log/ltm
Mar  9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b7b9c9e90e8b51ea846bd8eecda30b2eabf91a5de694dc878c
Mar  9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b8b9c9e90e8b51ea846bd8eecda30b2eaaf91a5de694dc8780
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : --
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b9b9c9e90e8b51ea846bd8eecda30b2ea9f91a5de694dc8786
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id :
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI /
Mar  9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL::renegotiate
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id :
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI /f5.gif
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Serial 01
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Issuer CN=caroot.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Subject CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
Mar  9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Version 3

Forum Discussion

SSL persistent& resumption - why doesnt work

14 Replies

ICYMI - Steve Wozniak at AppWorld 2026

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

TCP Profile with Verified Accept enabled and three-way TCP handshake

Pktclass Blob load failed

Connections appear not to use Persistence

Verify Client Certificates

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

TLS Stateful vs Stateless Session Resumption

F5 XC – Persistence and Resiliency pt. I (persistence)

Overview of MITRE ATT&CK Tactic : TA0003 - Persistence

Setting up persistence in F5 XC

Weblogic JSessionID Persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS