Forum Discussion

Bernard_9290's avatar
Bernard_9290
Icon for Nimbostratus rankNimbostratus
Jul 12, 2011

SSL::session invalidate issue

BIG-IP version:10.2.0 HF1     We have a virtual server with a client SSL profile configured for mutual authentication and we would like to invalidate the SSL session when the user logs out from ...
application delivery
dev
devops
iRules
Bernard_9290's avatar
Bernard_9290
Icon for Nimbostratus rankNimbostratus
Jul 14, 2011
Hi Aaron,

 

 

I think we have found the root cause of the issue with "SSL::session invalidate command". It seems that the command has not been designed for multi-processers F5 units.

 

 

The iRule is successfully executed in our production environment on a BIG-IP 4100 which is single processor.

 

 

We are now migrating to F5 BIG-IP 8900 which are multi-processor units (2x4 processors) and where we have encountered the issue.

 

 

This is confirmed when displaying the number of the CPUs executing the iRule (via TMM::cmp_unit) in the logs

 

 

When the CPU used for the "SSL::session invalidate" command and the CPU used for the first request after re-login are the same, the SSL session is not in the F5 cache and we need to provide a password. In this case the invalidation is successfull.

 

 

However, when the CPUs are not identical, the SSL session is still in the cache and the login is transparent which is really a security issue.

 

 

Bernard