cancel
Showing results for 
Search instead for 
Did you mean: 

SSL persistent& resumption - why doesnt work

garfield831_116
Nimbostratus
Nimbostratus

Hi All,

 

 

It's my first post here

 

I have project where client connect to server through F5

 

F5 makes decryption, WAF and then re-encryption and send traffic to one of node

 

Our requirement is that:

 

When client connect to VIP first time application create normal SSL connection (establishment) but if the same client want to connect another time for example in a 10 minutes then in a 20 minutes client should resumption existing session

 

We will pay for each byte so thats why I want use SSL persistent (with ssl resumption)

 

I read that for traffic that is decrypt and re-encrypt only option is write iRule

 

I have created something like this:

 

https://devcentral.f5.com/tech-tips/articles/cert-information-in-your-http-headers.UTfd3Vd224o

 

but without success

 

What should I add ?

 

version is BIG-IP 11.2.1 Build 807.0 Hotfix HF1

 

Thanks for any help

 

 

Marcin

 

14 REPLIES 14

Kevin_Stewart
F5 Employee
F5 Employee
The problem with SSL persistence is that it will either time out or eventually get renegotiated by either the client or the server. Browser are especially prone to SSL renegotiation, so SSL persistence is generally not a good persistence mechanism for web traffic. If you need to keep persistence over some very long period of time, and this is all exclusively browser-based traffic, I'd highly recommend persistent HTTP cookies. Create a cookie persistence profile and modify the expiration values, then apply that persistence profile to the virtual server.

Kevin_Stewart
F5 Employee
F5 Employee
I should also mention that if the client keeps the same browser open over that 10-20 minute period, then you could probably get away with session-based (in-memory) cookies.

garfield831_116
Nimbostratus
Nimbostratus
client is special device not web browser, cookies are not supported,

Kevin_Stewart
F5 Employee
F5 Employee
Well then the question becomes whether or not the client initiates SSL renegotiations. I've encountered a few client apps, like Citrix Receiver, that will maintain a long-running SSL session, so it's completely possible. If you enable SSL sessionid persistence at the virtual server you can monitor it with an iRule using the SSL::sessionid command.

 

 

garfield831_116
Nimbostratus
Nimbostratus
Thanks,

 

 

so as I understand iRule from mentioned example should fix this issue ?

 

But its not 😞

nitass
F5 Employee
F5 Employee
sorry, not sure if i am lost. i do not see you mention you are doing client certificate authentication which the irule does.

 

 

I read that for traffic that is decrypt and re-encrypt only option is write iRulei do not think irule is required. doesn't using clientssl and serverssl profiles work?

 

 

but without successwhat is the problem/error?

garfield831_116
Nimbostratus
Nimbostratus
i have client and server ssl profile, i dont have certificate authentication

 

I need enable ssl resumption (which is part of ssl persistent) - its from official f5 docu

 

Now each connection generate a lot of traffic (only sometimes new connection using earlier negotiated SSL connection - randomly)

 

garfield831_116
Nimbostratus
Nimbostratus
in logs i see something like this:

 

tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled:

 

but renegotiation is enabled

nitass
F5 Employee
F5 Employee
tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled:

 

but renegotiation is enabledit is enabled on both clientssl and serverssl profiles, isn't it?

garfield831_116
Nimbostratus
Nimbostratus
Yes its enabled for both profiles but I think that server profile configuration is not important in this case. Correct ?

nitass
F5 Employee
F5 Employee
I think that server profile configuration is not important in this case. Correct ?

after researching again, yes i agree.

 

 

would it be possible to post your virtual server, ssl profile and irule configuration here?

 

garfield831_116
Nimbostratus
Nimbostratus
I changed some names and IPs to xxxx

 

 

ltm rule /Common/insert_ssl_session_id {

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set sn [X509::serial_number $cert]

 

set subject [X509::subject $cert]

 

set issuer [X509::issuer $cert]

 

set version [X509::version $cert]

 

session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800

 

}

 

 

when HTTP_REQUEST {

 

if { [SSL::cert count] < 1 } {

 

SSL::authenticate once

 

SSL::authenticate depth 9

 

SSL::cert mode request

 

SSL::renegotiate

 

} else {

 

set values [session lookup uie [SSL::sessionid] ]

 

if { [lindex $values 0] != "" } {

 

HTTP::header insert XClientSSL_Serial [lindex $values 0]

 

log local0. "Inserting Serial [lindex $values 0]"

 

 

HTTP::header insert XClientSSL_Issuer [lindex $values 1]

 

log local0. "Inserting Issuer [lindex $values 1]"

 

 

HTTP::header insert XClientSSL_Subject [lindex $values 2]

 

log local0. "Inserting Subject [lindex $values 2]"

 

 

HTTP::header insert XVersion [lindex $values 3]

 

log local0. "Inserting Version [lindex $values 3]"

 

}

 

}

 

}

 

}

 

 

 

ltm virtual /Common/xxxx_VS_y.y.y.y {

 

destination /Common/y.y.y.y:443

 

http-class {

 

/Common/xxxx

 

}

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool /Common/xxxx_NET_POOL

 

profiles {

 

/Common/xxxx_TCP_profile { }

 

/Common/xxxx {

 

context clientside

 

}

 

/Common/xxxxx {

 

context serverside

 

}

 

/Common/http_x_forwarded_for { }

 

}

 

rules {

 

/Common/insert_ssl_session_id

 

}

 

snat automap

 

translate-address enabled

 

translate-port enabled

 

vlans {

 

/Common/xxx

 

}

 

vlans-enabled

 

}

 

ltm profile client-ssl /Common/xxxxx_client {

 

app-service none

 

cert /Common/xxxxx_cert.crt

 

defaults-from /Common/clientssl

 

key /Common/xxxxx_cert.key

 

options { no-session-resumption-on-renegotiation }

 

renegotiate-max-record-delay 100

 

renegotiate-period indefinite

 

renegotiate-size indefinite

 

renegotiation enabled

 

secure-renegotiation request

 

}

 

 

garfield831_116
Nimbostratus
Nimbostratus
What is also very interesting, we made 4 probes today

 

I see in logs

 

Mar 8 09:55:29 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Commonxxxx_net_clie

 

Mar 8 09:58:27 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

 

Mar 8 10:01:19 tmm1 warning tmm1[32186]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

 

Mar 8 10:09:14 tmm warning tmm[32185]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: /Common/xxxx_net_clie

 

 

1 was establishment

 

2 and 3 was RESUMPTION

 

4 was establishment

 

nitass
F5 Employee
F5 Employee
i do not get "Self-initiated renegotiation attempted while renegotiation disabled" log in my lab. is there anything i missed?

 

 

this is my setting.

 

 

root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.2.1 Build 807.0 Edition Hotfix HF1 Date Tue Oct 2 10:46:52 PDT 2012 Hotfix List ID395272 ID397435 ID397882 ID397981 root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.119:443 http-class { myhttpclass } ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } serverssl { context serverside } tcp { } } rules { insert_ssl_session_id } snat automap vlans-disabled } root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile httpclass myhttpclass ltm profile httpclass myhttpclass { app-service none asm enabled defaults-from httpclass } root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:443 { address 200.200.200.101 } } } ltm profile client-ssl myclientssl { app-service none options { no-session-resumption-on-renegotiation } renegotiate-max-record-delay 100 renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation request } root@(ve1121)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule insert_ssl_session_id ltm rule insert_ssl_session_id { when CLIENT_ACCEPTED { log local0. "--" } when CLIENTSSL_HANDSHAKE { log local0. "SSL session Id [SSL::sessionid]" } when CLIENTSSL_CLIENTCERT { log local0. "SSL session Id [SSL::sessionid]" set cert [SSL::cert 0] set sn [X509::serial_number $cert] set subject [X509::subject $cert] set issuer [X509::issuer $cert] set version [X509::version $cert] session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800 } when HTTP_REQUEST { log local0. "" log local0. "URI [HTTP::uri]" if { [SSL::cert count] < 1 } { SSL::authenticate once SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiate log local0. "SSL::renegotiate" } else { set values [session lookup uie [SSL::sessionid] ] if { [lindex $values 0] != "" } { HTTP::header insert XClientSSL_Serial [lindex $values 0] log local0. "Inserting Serial [lindex $values 0]" HTTP::header insert XClientSSL_Issuer [lindex $values 1] log local0. "Inserting Issuer [lindex $values 1]" HTTP::header insert XClientSSL_Subject [lindex $values 2] log local0. "Inserting Subject [lindex $values 2]" HTTP::header insert XVersion [lindex $values 3] log local0. "Inserting Version [lindex $values 3]" } } } } /var/log/ltm [root@ve1121:Active:Standalone] config tail -f /var/log/ltm Mar 9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : -- Mar 9 16:07:34 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b7b9c9e90e8b51ea846bd8eecda30b2eabf91a5de694dc878c Mar 9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : -- Mar 9 16:07:38 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b8b9c9e90e8b51ea846bd8eecda30b2eaaf91a5de694dc8780 Mar 9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : -- Mar 9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64b9b9c9e90e8b51ea846bd8eecda30b2ea9f91a5de694dc8786 Mar 9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Mar 9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI / Mar 9 16:07:40 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL::renegotiate Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786 Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : SSL session Id 7127aea7e11d64bab9c9e90e8b51ea846bd8eecda30b2ea8f91a5de694dc8786 Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : URI /f5.gif Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Serial 01 Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Issuer CN=caroot.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Subject CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US Mar 9 16:07:46 tmm info tmm[13182]: Rule /Common/insert_ssl_session_id : Inserting Version 3