SSL::renegotiate

Description¶

Controls renegotiation of an SSL connection, often used to enforce new encryption settings or certificate requirements.

This command has different results depending on whether the BIG-IP system evaluates the command under a client-side or a server-side context. The command only succeeds if SSL is enabled on the connection; otherwise, the command returns an error.

Syntax¶

SSL::renegotiate
SSL::renegotiate [enable | disable]

SSL::renegotiate¶

Renegotiates a client-side or server-side SSL connection, depending on the context.
When the system evaluates the command under a client-side context, the system immediately renegotiates a request for the associated client-side connection, if client-side renegotiation is enabled. This renegotiation enforces any SSL settings changed for the connection, including client certificate settings.
When the system evaluates the command under a server-side context, the system immediately initiates a renegotiation for the associated server-side connection, using the configuration options for forced SSL renegotiations.

SSL::renegotiate [enable | disable]¶

Enable or disable the ability for the peer to request renegotiation. Renegotiation is enabled by default in BIG-IP versions prior to 10.1.0.
When disabled, the peer is not allowed to request SSL renegotiation. Disabling SSL renegotiation can be used to prevent SSL injection vulnerability CVE-2009-3555 in applications which do not require SSL renegotiation.
When the system evaluates the disable command under a client-side context, and the system receives a ClientHello message from a SSL client, the system terminates the connection. If a NATIVE cipher is in use, the system transmits a handshake failure alert prior to termination. If a COMPAT cipher is in use, the system does not transmit a handshake failure alert prior to termination. When the system evaluates this command under a server-side context, and the system will ignore HelloRequest messages received from the server.

In BIG-IP versions 10.0.1 and earlier, the enable and disable commands are available only after applying a hotfix; see SOL10737 on the AskF5 website for more details.
For a list of NATIVE and COMPAT ciphers supported by BIG-IP version 9.x, please refer to SOL8802

Examples¶

when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] > 0 } {
    HTTP::release
  }
}

when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/securearea/" } {
    if {[SSL::cert count] == 0} {
      HTTP::collect
      SSL::session invalidate
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      SSL::renegotiate enable
      SSL::renegotiate
    }
  }
}

when CLIENTSSL_HANDSHAKE {
   SSL::renegotiate disable
}

when SERVERSSL_HANDSHAKE {
   SSL::renegotiate disable
}

Related Information¶

Valid Events:

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Client Cert Request by URI with OCSP Checking - Request a client SSL certificate by URI and validate it using OCSP
Request Client Certificate And Pass To Application - We are using BigIP to dynamically request a client certificate and pass it to server.

Introduced: BIGIP-9.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.