Forum Discussion

Peter_Lowdon's avatar
Icon for Altocumulus rankAltocumulus
Jun 07, 2023

SSL Session Cache vs Client Certificate Request

hi f5'ers,

I think I know the answer already but I'm in denial 😞

We have an f5 Big-IP VE appliance sending SOAP requests to a web service hosted in an IBM WebSphere Application Server instance.  The connection is via TLS v1.2 with mutual athentication enabled, f5 appliance requests WAS server certifictae once per SSL Session and WAS server has client authentication set to "Required".  There are 3 options in the WAS server console for client authentication "None", "Supported" and "Required".

When we run some tests and pump a load of SOAP requests through the pipeline we see that the SSL Server profile in use between f5 Big-IP and WAS has 2,200 SSL Session Cache Lookups, 2,200 SSL Session Cache Hits and 2,200 Invalidations.  The WAS sever CPU is running aroun 27% utilisation during the test run.

If we change the WAS server client authentication to "None"  we see the SSL Server profile in use between f5 Big-IP and WAS has 2,200 SSL Session Cache Lookups, 2,200 SSL Session Cache Hits and 0 Invalidations. 

I tried a similar setup in my lab with f5 Big-IP talking to Stunnel and could see that with client authentication disabled or enabled in Stunnel I see the same results in the SSL Profile statistics on f5 Big-IP appliance and there is no ipact to CPU utilisation on Stunnel server.  I tpcdumped the test and could see that Stunnel does not ask for a client certificate for authentication purposes when reusing an SSL Session.

From my observations I have deduced that WAS must still request a client certificate when reusing an SSL Session and that client certificate request triggers the f5 Big-IP into invalidating the SSL Session reuse and so forcing a full handshake between both ends again rather than use the existing cached  SSL Session.

There doesn't appear to be any way of forcing IBM WAS to not request client certificates when reusing SSl Session, is there any secret way to force f5 Big-IP from resuing an SSL Session even when it is asked for a client certificate with each and every request?

Thanks in Advance,


1 Reply

  • This would be the origin server requesting the client certificate? I know for the client side of the connection, you can specify to always require or just once.

    "BIG-IP requests client certificate during first handshake and no longer re-authenticates client as long as TLS session is reused and valid.

    The way BIG-IP does it is by using Session Resumption/Reuse.

    During first TLS handshake from client, BIG-IP sends a Session ID to Client within Server Hello header and in subsequent TLS connections, assuming session ID is still in BIG-IP's cache and client re-sends it back to BIG-IP, then session will be resumed every time client tries to establish a TLS session (respecting cache timeout)."

    However, I dont think this is the issue you are articulating. Think you may be after the server side of the connection, where the F5 is tearing down the session once the server resends the client certificate request.