Forum Discussion
Dave_Burnett_20
Nimbostratus
NimbostratusSSL Session Ciphers
Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.
e.g The server allowed the following session ...
nitass
Employee
Employeei am not an expert. anyway, it is fun to write irule, so i never mind to do it if i can. however, in some case, it is difficult or i am not able to test it out. i prefer testing it before giving irule.
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.79:443
ip protocol 6
rules myrule
profiles {
clientssl {
clientside
}
http {}
tcp {}
}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when RULE_INIT {
set static::tabletimeout 3600
}
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]:[TCP::client_port] is connecting"
}
when CLIENTSSL_HANDSHAKE {
set sid "[SSL::sessionid]"
set cp "[SSL::cipher name]"
log local0. "sessionid is $sid"
log local0. "cipher is $cp"
if {[table lookup $sid] ne ""} {
if {[table lookup $sid] ne $cp} {
log local0. "resume ssl session but cipher is different"
reject
}
log local0. "resume ssl session and cipher is identical"
} else {
log local0. "new ssl session"
table set $sid $cp $static::tabletimeout indefinite
}
}
}
/var/log/ltm
Jul 3 23:31:03 local/tmm info tmm[5111]: Rule myrule : 192.168.206.55:51112 is connecting
Jul 3 23:31:03 local/tmm info tmm[5111]: Rule myrule : sessionid is 80f1024444a55cd8189cffe6ca7e7c18decbac0776a4c09e1b762accc8e86974
Jul 3 23:31:03 local/tmm info tmm[5111]: Rule myrule : cipher is RC4-SHA
Jul 3 23:31:03 local/tmm info tmm[5111]: Rule myrule : resume ssl session and cipher is identical
