ltm rule command SSL renegotiate
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::renegotiate
Controls renegotiation of an SSL connection.
SYNOPSIS
SSL::renegotiate (enable | disable)?
DESCRIPTION
Controls renegotiation of an SSL connection, often used to enforce new
encryption settings or certificate requirements.
This command has different results depending on whether the BIG-IP
system evaluates the command under a client-side or a server-side
context. The command only succeeds if SSL is enabled on the connection;
otherwise, the command returns an error.
RETURN VALUE
SSL::renegotiate
Renegotiates a client-side or server-side SSL connection, depending
on the context.
When the system evaluates the command under a client-side context,
the system immediately renegotiates a request for the associated
client-side connection, if client-side renegotiation is enabled. This
renegotiation enforces any SSL settings changed for the connection,
including client certificate settings.
When the system evaluates the command under a server-side context,
the system immediately initiates a renegotiation for the associated
server-side connection, using the configuration options for forced SSL
renegotiations.
SSL::renegotiate [enable | disable]
Enable or disable the ability for the peer to request
renegotiation. Renegotiation is enabled by default in BIG-IP versions
prior to 10.1.0.
When disabled, the peer is not allowed to request SSL
renegotiation. Disabling SSL renegotiation can be used to prevent SSL
injection vulnerability CVE-2009-3555 in applications which do not
require SSL renegotiation.
When the system evaluates the disable command under a client-side
context, and the system receives a ClientHello message from a SSL
client, the system terminates the connection. If a NATIVE cipher is in
use, the system transmits a handshake failure alert prior to
termination. If a COMPAT cipher is in use, the system does not transmit
a handshake failure alert prior to termination. When the system
evaluates this command under a server-side context, and the system will
ignore HelloRequest messages received from the server.
In BIG-IP versions 10.0.1 and earlier, the enable and disable commands
are available only after applying a hotfix; see SOL10737 on the AskF5
website for more details. For a list of NATIVE and COMPAT ciphers
supported by BIG-IP version 9.x, please refer to SOL8802
VALID DURING
EXAMPLES
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
HTTP::release
}
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/securearea/" } {
if {[SSL::cert count] == 0} {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate enable
SSL::renegotiate
}
}
}
when CLIENTSSL_HANDSHAKE {
SSL::renegotiate disable
}
when SERVERSSL_HANDSHAKE {
SSL::renegotiate disable
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)