SSL::renegotiate

Description

Controls renegotiation of an SSL connection, often used to enforce new encryption settings or certificate requirements.
This command has different results depending on whether the BIG-IP system evaluates the command under a client-side or a server-side context. The command only succeeds if SSL is enabled on the connection; otherwise, the command returns an error.

Syntax

SSL::renegotiate
SSL::renegotiate [enable | disable]

SSL::renegotiate

  • Renegotiates a client-side or server-side SSL connection, depending on the context.
  • When the system evaluates the command under a client-side context, the system immediately renegotiates a request for the associated client-side connection, if client-side renegotiation is enabled. This renegotiation enforces any SSL settings changed for the connection, including client certificate settings.
  • When the system evaluates the command under a server-side context, the system immediately initiates a renegotiation for the associated server-side connection, using the configuration options for forced SSL renegotiations.

SSL::renegotiate [enable | disable]

  • Enable or disable the ability for the peer to request renegotiation. Renegotiation is enabled by default in BIG-IP versions prior to 10.1.0.
  • When disabled, the peer is not allowed to request SSL renegotiation. Disabling SSL renegotiation can be used to prevent SSL injection vulnerability CVE-2009-3555 in applications which do not require SSL renegotiation.
  • When the system evaluates the disable command under a client-side context, and the system receives a ClientHello message from a SSL client, the system terminates the connection. If a NATIVE cipher is in use, the system transmits a handshake failure alert prior to termination. If a COMPAT cipher is in use, the system does not transmit a handshake failure alert prior to termination. When the system evaluates this command under a server-side context, and the system will ignore HelloRequest messages received from the server.

  • In BIG-IP versions 10.0.1 and earlier, the enable and disable commands are available only after applying a hotfix; see SOL10737 on the AskF5 website for more details.
  • For a list of NATIVE and COMPAT ciphers supported by BIG-IP version 9.x, please refer to SOL8802

Examples

when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] > 0 } {
    HTTP::release
  }
}

when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/securearea/" } {
    if {[SSL::cert count] == 0} {
      HTTP::collect
      SSL::session invalidate
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      SSL::renegotiate enable
      SSL::renegotiate
    }
  }
}
when CLIENTSSL_HANDSHAKE {
   SSL::renegotiate disable
}
when SERVERSSL_HANDSHAKE {
   SSL::renegotiate disable
}