Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

Ssl renegotiation and Ssl persistence?

  1. What is the difference between using ssl renegotiation and ssl persistence?
  2. Having a VS configured for tcp standard ( ssl client and server profiles applied), client makes ssl handshake for each session (Almost 10 successive connections in less than 10 minutes. I observed this by the port number client is using for each session)which consumes a lot of time. What is the best way to workaround that?
  3. Can we configure F5 such that if a client with some ip 10.xx.x.x has once negotiated the ssl for first time, then do not negotiate ssl handshake for next 30 min or like for next 10 sessions( to which part of it is possible, do not negotiate forever or do not negotiate for next 30min, with configuration utility).
  4. If yes, how and what are the the disadvantages. Else how deal with those hundreds of negotiations?
Rate this Question

Answers to this Question

  1. SSL renegotiation is a function of the SSL/TLS protocol to renegotiate the session, usually to refresh the keys, but is also used in "step-up auth" scenarios. SSL persistence is a mechanism employed by a load balancing device to ensure traffic from a single session persists to the same backend server, based on the SSL session ID. Keep in mind however that modern web browsers and web servers will renegotiate the TLS session often, making SSL persistence generally unreliable.

  2. 10 SSL SSL handshakes in 10 minutes doesn't seem like an unusual traffic flow. Is this not web traffic?

  3. Again, depending on the application protocol, it's not unreasonable for a client and server to re-handshake every so often.

  4. Are you looking at dozens of SSL handshakes or thousands/millions? HTTP is a stateless protocol, so browsers can and will renegotiate SSL sessions reasonably often. Hopefully you'd see more resumptions than renegotiations from a single client, but it generally depends on the client.