ltm rule command SSL sessionid
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::sessionid
Gets the SSL session ID.
SYNOPSIS
SSL::sessionid (desired)?
DESCRIPTION
Gets the SSL session ID.
RETURN VALUE
SSL::sessionid
Returns the current connection's SSL session ID if it exists in the
session cache.
In version 10.x and higher, if the session ID does not exist in the
cache, returns a null string.
In version 9.x, if the session ID does not exist in the cache,
returns a string of 64 zeroes. (This Known Issue is documented in
SOL11987 )
Note: It appears that the session ID will never be added to the SSL
cache if the client SSL profile is set to always validate the client
certificate (as opposed to validating once per session).
VALID DURING
ANY_EVENT
EXAMPLES
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sid [SSL::sessionid]
if { $sid ne "" } {
# If this SSL session will be cached, then it may be
# resumed later on a new connection. Cache the cert
# in the session table in case that happens. Because ID's
# are not globally unique, the session id needs to be combined
# with something from client address to avoid mismatch.
set key [concat [IP::remote_addr]@$sid]
session add ssl $key $cert 180
}
}
when HTTP_REQUEST {
if { [info exists cert] } {
set sn [X509::serial_number $cert]
} else {
set sid [SSL::sessionid]
# We don't have a cert, possibly because this is
# a new connection that was a resumption of a
# previous SSL session. If that is the reason,
# the cert will be in the session table.
if { $sid ne "" } {
# This SSL session was resumed; retreive the cached cert
set key [concat [IP::remote_addr]@$sid]
set cert [session lookup ssl $key]
if { $cert ne "" } {
set sn [X509::serial_number $cert]
} else {
# dunno how this happened
reject
return
}
}
}
if { [info exists sn] } {
HTTP::header insert Serial $sn
} else {
# no sn available, reject the client
reject
return
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)