SSL Session Cache vs Client Certificate Request
hi f5'ers,
I think I know the answer already but I'm in denial 😞
We have an f5 Big-IP VE appliance sending SOAP requests to a web service hosted in an IBM WebSphere Application Server instance. The connection is via TLS v1.2 with mutual athentication enabled, f5 appliance requests WAS server certifictae once per SSL Session and WAS server has client authentication set to "Required". There are 3 options in the WAS server console for client authentication "None", "Supported" and "Required".
When we run some tests and pump a load of SOAP requests through the pipeline we see that the SSL Server profile in use between f5 Big-IP and WAS has 2,200 SSL Session Cache Lookups, 2,200 SSL Session Cache Hits and 2,200 Invalidations. The WAS sever CPU is running aroun 27% utilisation during the test run.
If we change the WAS server client authentication to "None" we see the SSL Server profile in use between f5 Big-IP and WAS has 2,200 SSL Session Cache Lookups, 2,200 SSL Session Cache Hits and 0 Invalidations.
I tried a similar setup in my lab with f5 Big-IP talking to Stunnel and could see that with client authentication disabled or enabled in Stunnel I see the same results in the SSL Profile statistics on f5 Big-IP appliance and there is no ipact to CPU utilisation on Stunnel server. I tpcdumped the test and could see that Stunnel does not ask for a client certificate for authentication purposes when reusing an SSL Session.
From my observations I have deduced that WAS must still request a client certificate when reusing an SSL Session and that client certificate request triggers the f5 Big-IP into invalidating the SSL Session reuse and so forcing a full handshake between both ends again rather than use the existing cached SSL Session.
There doesn't appear to be any way of forcing IBM WAS to not request client certificates when reusing SSl Session, is there any secret way to force f5 Big-IP from resuing an SSL Session even when it is asked for a client certificate with each and every request?
Thanks in Advance,
Peter