ending SSL session

Question

i'm looking for a different way of completely ending a SSL session or having a totally new (including full handshake) session started. as pointed out in the thread below the SSL:session invalidate doesn't seem to behave as expected. especially in CMP mode the session often remains active. &nbsp;
&nbsp;has anyone experienced this before and / or  found another way to activally end SSL sessions or force the start of a new SSL session?&nbsp;
&nbsp;thread which discusses SSL::session invalidate issue
&nbsp;http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1180464/showtab/groupforums/Default.aspx&nbsp;&nbsp;

michael_yates · Answer

Hi Boneyard, 
&nbsp;  
&nbsp; If the devices you are using are also multi-processor then you might want to open up a case to see if they have created a fix for this bug yet.  Perhaps it has been released in a later HF for v10.2.2.   I know at this point they are up to HF4 969.0 and the post that you referenced is from July of 2011. 
&nbsp;  
&nbsp; Also, depending on how abrupt you want to be with the connection you could try an SSL::disable followed by a reject to kill the session and connection. 
&nbsp;  
&nbsp; Similar to this post:  How To Avoid SSL Handshake When No Pool Member Available. 
&nbsp;  
&nbsp; Hope this helps. &nbsp;

hooleylist · Answer

Hi Boneyard, 
&nbsp;  
&nbsp; As Michael said, I'd open a case with F5 Support to get an official response on this.  If you do, please reply back with the case number. 
&nbsp;  
&nbsp; Thanks, Aaron

hooleylist · Answer

Actually, I found the bug: 
&nbsp;  
&nbsp; BZ365698 - ssl::invalidate does not work correctly on CMP environment 
&nbsp;  
&nbsp; I'd open a case with Support and ask for an engineering hotfix be provided for you. 
&nbsp;  
&nbsp; Aaron

boneyard · Answer

seems there is an engineering hotfix for 10.2.2 hf1 / 10.2.3 available, looking into getting that. 
&nbsp;  
&nbsp; as for the SSL::disable and reject, that probably requires client side action to continue further right? a http session would be interupted to the point that a client has to refresh the page manually?

hooleylist · Answer

I'd get the engineering hotfix.  Short of that, I can't think of a simple, efficient way to work around the issue. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

ending SSL session

5 Replies

Recent Discussions

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

CGNAT with DS-lite and LSN

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

Community Highlights, Week 52 '22 + bonus year-end content

End of Year 2022 security challenges and new year wishes

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL Orchestrator Advanced Use Cases: Detecting Generative AI