Forum Discussion

Bernard_9290's avatar
Bernard_9290
Icon for Nimbostratus rankNimbostratus
Jul 12, 2011

SSL::session invalidate issue

BIG-IP version:10.2.0 HF1     We have a virtual server with a client SSL profile configured for mutual authentication and we would like to invalidate the SSL session when the user logs out from ...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jul 13, 2011
Hi Bernard,

Can you try calling 'session delete ssl [SSL::sessionid]' to remove the SSL cert from the session table? I'm thinking something like this: 

      HTTP::respond 302 Location $location Connection Close Cache-Control No-Cache Pragma No-Cache
      session delete ssl [SSL::sessionid]
      SSL::session invalidate

If that doesn't work, I think you might need to call SSL::renegotiate after SSL::session invalidate to request that the client negotiate a new SSL session.

However, doing using SSL::renegotiate will open you up to the vulnerability described in SOL10737. There is a fix in 11.0beta2 and possibly one for 10.2.x. You could open a case with F5 Support to get status on this. See this thread for details:

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/5/afv/topic/aft/1178540/afc/1251057/Default.aspx

Aaron