Forum Discussion
fgf_165674
Nimbostratus
NimbostratusTLS session resumption
Hello,
if I run a test about TLS session resumption in LTM version 11.4.1, it doesn't work.
Instead, if I repeat the same test in LTM version 11.5.1, it works fine.
I am using a SSL client profile with default settings.
Do you know how can I get TLS session resumption in LTM version 11.4.1 ?
Thanks. Regards,
5 Replies
- nitass
Employee
this is mine.
version [root@B4200-R77-S7:Active:Standalone] config tmsh show sys version|head Sys::Version Main Package Product BIG-IP Version 11.4.1 Build 675.0 Edition Hotfix HF7 Date Mon Dec 29 23:07:14 PST 2014 configuration [root@B4200-R77-S7:Active:Standalone] config tmsh list ltm virtual bar ltm virtual bar { destination 100.100.100.123:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 3 } test [root@client3 ~] openssl s_client -connect 100.100.100.123:443 -reconnect CONNECTED(00000003) depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain --- Server certificate -----BEGIN CERTIFICATE----- MIIDrDCCApSgAwIBAgICB3wwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x NTA0MDIwMTE0NTVaFw0yNTAzMzAwMTE0NTVaMIGYMQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxVpyvxajxgHxK3surAxWovs5b+FvrIQAP FvBS0USI6b5kdjSU96tX0upUTnA+xiuBMw5tvk6ZQqK7OskWHIPoc46+/onj5swC reqSOarMtWMqbsHyXSeTkOhPO8JBZFRyB+EoobuiVAWBnkNXIg5Z8l5CqYXWzAMO 87RK/9AqJr81kwmyC65pDFpPr1xKlVoA+HvuyZhiUyX20kfeNaQA0r5bluwAl4vN Z4XVAry/R2TllZufQmtq/LSJkIpUV7iv+rXpRtIm8VmeusldkNwyTI9WSlaENzhk +dOJnoeULmauZZVCR540cd5NbvGPO23TMBJferwzTJybwUxlQKLvAgMBAAEwDQYJ KoZIhvcNAQEFBQADggEBADGTji9h1hBxh5MLW/vbUro0vqS/UAB/adnNaHDhAK+X O+9YW0BJyWkiW6zYXAy0rU0KlDP3do8CF4S6FMQQQ8AcsShKVXMndliTaJlmz9EF oHRK3nkjWaPjX+/tLscxPZ+j5Vw7yKWoOTytwm/cHsv7U/212I/nDMDohKjjxJiu EgO3RJ2q36U66Eqa6m5YraaRp8uLO15QXHLvV46E4ybkuB82nHzO6ojw3V0PlLab p0wzjxoilkv74z7pVe+vRkPJMZvsFNzGjLrYfhRP8cZQwz+da+MUvPPsQHQT/Lwd /Xf/Ot2XcbcCtcSaRF4Got9RETqIO6ITNToAyRt/kak= -----END CERTIFICATE----- subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain --- No client certificate CA names sent --- SSL handshake has read 1101 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is RC4-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is RC4-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is RC4-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is RC4-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is RC4-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722 Session-ID-ctx: Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6 Key-Arg : None Krb5 Principal: None Start Time: 1430624551 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 
fgf_165674Hi nitass,
thanks for your response.
This is my test:
$ openssl s_client -connect 10.40.5.10:443 -reconnect
[...]
No client certificate CA names sent
SSL handshake has read 5934 bytes and written 893 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: D3E36ACF934B950E3924926DA922667B457160FA70B48F9F43A11CD252A7A6B6 Session-ID-ctx:
Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1429892007 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)drop connection and then reconnect CONNECTED(00000003)
New, TLSv1/SSLv3, Cipher is AES128-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: D3E36ACF93495B1A3924926DA922657A2690A7AA1352D4B443A11CD252A7A6B9 Session-ID-ctx:
Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1429892008 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)[...]
Can you show the config of the client SSL profile?
I suspect that it can be related with the protocol used in the cipher suite.
Regards,
- nitass
Can you show the config of the client SSL profile?
it is default.
root@(B4200-R77-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile client-ssl clientssl ltm profile client-ssl clientssl { alert-timeout 10 app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-timeout 3600 cert default.crt cert-extension-includes { basic-constraints subject-alternative-name } chain none ciphers DEFAULT client-cert-ca none crl-file none handshake-timeout 10 key default.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require strict-resume disabled unclean-shutdown enabled } - nitass
how long is your clientssl profile name? you are not hitting this, are you?
sol14372: SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more
https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14372.html - fgf_165674
Hello,
this is the problem, the profile name length (32 characters).
Changing the profile name, now the problem is solved.
Thanks a lot.
Regards,
