ltm rule command SSL renegotiate

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



SSL::renegotiate
       Controls renegotiation of an SSL connection.

SYNOPSIS
       SSL::renegotiate (enable | disable)?

DESCRIPTION
       Controls renegotiation of an SSL connection, often used to enforce new
       encryption settings or certificate requirements.

       This command has different results depending on whether the BIG-IP
       system evaluates the command under a client-side or a server-side
       context. The command only succeeds if SSL is enabled on the connection;
       otherwise, the command returns an error.

RETURN VALUE
       SSL::renegotiate
	   Renegotiates a client-side or server-side SSL connection, depending
       on the context.
	   When the system evaluates the command under a client-side context,
       the system immediately renegotiates a request for the associated
       client-side connection, if client-side renegotiation is enabled. This
       renegotiation enforces any SSL settings changed for the connection,
       including client certificate settings.
	   When the system evaluates the command under a server-side context,
       the system immediately initiates a renegotiation for the associated
       server-side connection, using the configuration options for forced SSL
       renegotiations.

       SSL::renegotiate [enable | disable]
	   Enable or disable the ability for the peer to request
       renegotiation. Renegotiation is enabled by default in BIG-IP versions
       prior to 10.1.0.
	   When disabled, the peer is not allowed to request SSL
       renegotiation. Disabling SSL renegotiation can be used to prevent SSL
       injection vulnerability CVE-2009-3555 in applications which do not
       require SSL renegotiation.
	   When the system evaluates the disable command under a client-side
       context, and the system receives a ClientHello message from a SSL
       client, the system terminates the connection. If a NATIVE cipher is in
       use, the system transmits a handshake failure alert prior to
       termination. If a COMPAT cipher is in use, the system does not transmit
       a handshake failure alert prior to termination. When the system
       evaluates this command under a server-side context, and the system will
       ignore HelloRequest messages received from the server.

       In BIG-IP versions 10.0.1 and earlier, the enable and disable commands
       are available only after applying a hotfix; see SOL10737 on the AskF5
       website for more details.  For a list of NATIVE and COMPAT ciphers
       supported by BIG-IP version 9.x, please refer to SOL8802

VALID DURING
EXAMPLES
	when CLIENTSSL_HANDSHAKE {
	    if { [SSL::cert count] > 0 } {
		HTTP::release
	    }
	}
	when HTTP_REQUEST {
	    if {[HTTP::uri] starts_with "/securearea/" } {
		if {[SSL::cert count] == 0} {
		HTTP::collect
		SSL::session invalidate
		SSL::authenticate always
		SSL::authenticate depth 9
		SSL::cert mode require
		SSL::renegotiate enable
		SSL::renegotiate
		}
	    }
	}
	when CLIENTSSL_HANDSHAKE {
	    SSL::renegotiate disable
	}
	when SERVERSSL_HANDSHAKE {
	    SSL::renegotiate disable
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-9.0.0 --First introduced the command.



BIG-IP				  2017-01-31			      iRule(1)