TLS session resumption

Question

Hello,&nbsp;
if I run a test about TLS session resumption in LTM version 11.4.1, it doesn't work.&nbsp;
Instead, if I repeat the same test in LTM version 11.5.1, it works fine.&nbsp;
I am using a SSL client profile with default settings.&nbsp;
Do you know how can I get TLS session resumption in LTM version 11.4.1 ?&nbsp;
Thanks.
Regards,&nbsp;

nitass · Answer

this is mine.&nbsp; version

[root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version|head
Sys::Version
Main Package
  Product  BIG-IP
  Version  11.4.1
  Build    675.0
  Edition  Hotfix HF7
  Date     Mon Dec 29 23:07:14 PST 2014

configuration

[root@B4200-R77-S7:Active:Standalone] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 100.100.100.123:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 3
}

test

[root@client3 ~] openssl s_client -connect 100.100.100.123:443 -reconnect
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICB3wwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
NTA0MDIwMTE0NTVaFw0yNTAzMzAwMTE0NTVaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxVpyvxajxgHxK3surAxWovs5b+FvrIQAP
FvBS0USI6b5kdjSU96tX0upUTnA+xiuBMw5tvk6ZQqK7OskWHIPoc46+/onj5swC
reqSOarMtWMqbsHyXSeTkOhPO8JBZFRyB+EoobuiVAWBnkNXIg5Z8l5CqYXWzAMO
87RK/9AqJr81kwmyC65pDFpPr1xKlVoA+HvuyZhiUyX20kfeNaQA0r5bluwAl4vN
Z4XVAry/R2TllZufQmtq/LSJkIpUV7iv+rXpRtIm8VmeusldkNwyTI9WSlaENzhk
+dOJnoeULmauZZVCR540cd5NbvGPO23TMBJferwzTJybwUxlQKLvAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBADGTji9h1hBxh5MLW/vbUro0vqS/UAB/adnNaHDhAK+X
O+9YW0BJyWkiW6zYXAy0rU0KlDP3do8CF4S6FMQQQ8AcsShKVXMndliTaJlmz9EF
oHRK3nkjWaPjX+/tLscxPZ+j5Vw7yKWoOTytwm/cHsv7U/212I/nDMDohKjjxJiu
EgO3RJ2q36U66Eqa6m5YraaRp8uLO15QXHLvV46E4ybkuB82nHzO6ojw3V0PlLab
p0wzjxoilkv74z7pVe+vRkPJMZvsFNzGjLrYfhRP8cZQwz+da+MUvPPsQHQT/Lwd
/Xf/Ot2XcbcCtcSaRF4Got9RETqIO6ITNToAyRt/kak=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1101 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is RC4-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is RC4-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is RC4-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is RC4-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is RC4-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5113D1CD9EC392BD39E33B57160B68F64A3A38CDF927B1EAAF9B14A29BA26722
    Session-ID-ctx:
    Master-Key: 155EE0A982AB68A7E15040F11A3BD2889607642FA5B75761367462F278EF564FD1D5B87378B5E4F893C1B3501E261EC6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1430624551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

fgf_165674 · Answer

Hi nitass,&nbsp;thanks for your response.&nbsp;This is my test:&nbsp;$ openssl s_client -connect 10.40.5.10:443 -reconnect&nbsp;[...]&nbsp;No client certificate CA names sent&nbsp;SSL handshake has read 5934 bytes and written 893 bytes&nbsp;New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: D3E36ACF934B950E3924926DA922667B457160FA70B48F9F43A11CD252A7A6B6 Session-ID-ctx:&nbsp; Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1429892007
 Timeout   : 300 (sec)
 Verify return code: 20 (unable to get local issuer certificate)drop connection and then reconnect CONNECTED(00000003)&nbsp;New, TLSv1/SSLv3, Cipher is AES128-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: D3E36ACF93495B1A3924926DA922657A2690A7AA1352D4B443A11CD252A7A6B9 Session-ID-ctx:&nbsp; Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1429892008
 Timeout   : 300 (sec)
 Verify return code: 20 (unable to get local issuer certificate)[...]&nbsp;Can you show the config of the client SSL profile?&nbsp;I suspect that it can be related with the protocol used in the cipher suite.&nbsp;Regards,&nbsp;

nitass · Answer

Can you show the config of the client SSL profile?

it is default.
root@(B4200-R77-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile client-ssl clientssl
ltm profile client-ssl clientssl {
    alert-timeout 10
    app-service none
    authenticate once
    authenticate-depth 9
    ca-file none
    cache-size 262144
    cache-timeout 3600
    cert default.crt
    cert-extension-includes { basic-constraints subject-alternative-name }
    chain none
    ciphers DEFAULT
    client-cert-ca none
    crl-file none
    handshake-timeout 10
    key default.key
    mod-ssl-methods disabled
    mode enabled
    options { dont-insert-empty-fragments }
    passphrase none
    peer-cert-mode ignore
    renegotiate-max-record-delay indefinite
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    secure-renegotiation require
    strict-resume disabled
    unclean-shutdown enabled
}

nitass · Answer

how long is your clientssl profile name? you are not hitting this, are you?&nbsp;
sol14372: SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more&nbsp;
https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14372.html&nbsp;

fgf_165674 · Answer

Hello,&nbsp;
this is the problem, the profile name length (32 characters).&nbsp;
Changing the profile name, now the problem is solved.&nbsp;
Thanks a lot.&nbsp;
Regards,&nbsp;

Forum Discussion

TLS session resumption

5 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

TLS Stateful vs Stateless Session Resumption

TLS Session Resumption (Session IDs / Session Tickets)

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

Decrypting TLS traffic on BIG-IP

F5 CIS, TLS Extensions, and troubleshooting