SSL Renegotiation DOS iRule for BIG-IP 9.4.5 Build 1086.1 Hotfix HF2

Hello Joachim,

 

 

i was just wondering if you figured out a solution for your problem until now. If yes, it would be nice if you could post it.

 

 

As far as i understood you might have three possible choices.

 

1) Upgrade to Version 10.x or higher. So the after command could be used.

 

2) Just use the iRule without the after command and therefore drop the handshake directly.

 

3) Use an extension like the one below with all the consequences.

 

 

when HTTP_REQUEST {

 

set newtime [expr ]clock -miliseconds[ + 50]

 

while {[clock -milliseconds] >= $newtime } {

 

}

 

}

 

>>>possible consequences: It leads TMM into a holding pattern until it completes, without processing any other traffic in the mean time.

 

 

Maybe there is someone who knows a better choice than i do.

 

 

Thanks so far.

 

 

Best regards

 

AMa