SSL Renegotiation Process and Session Reuse on ADC Appliance
Article ID: CTX121925
Updated On:
Description
This article contains information about the SSL renegotiation and session reuse on a ADC appliance.
SSL Renegotiation Process on a ADC Appliance
The SSL renegotiation process is the new SSL handshake process over an established SSL connection. The SSL renegotiation process can establish another secure SSL session because the renegotiation messages, including the types of ciphers and encryption keys, are encrypted and then sent over to the existing SSL connection.
The ADC appliance does not request the client to renegotiate SSL connection. However, if the client or the back end server initiates a renegotiation process, the appliance supports the process.
Disable Client Side or Server Side SSL Renegotiation on ADC
Refer to CTX123680 – Configure "-denySSLReneg" Parameter to Disable Client Side and Server Side SSL Renegotiation on NetScalerSSL Session Reuse Option on a ADC Appliance
Additionally, you can reuse an existing SSL session on ADC appliance. While the SSL renegotiation process consists of a full SSL handshake, the SSL reuse consists of a partial handshake because the client sends the SSL ID with the request. You can run the following command from the command line interface of the appliance to control the SSL session reuse:
set ssl vs test -sessReuse ENABLED -sessTimeout 120
By default, the session reuse option is enabled on the appliance and the timeout value for the same is 120 seconds. Therefore, if a client sends a request on another TCP connection and the earlier SSL session ID within 120 seconds, then the appliance performs a partial handshake.
Configure session reuse by using the command line interface
At the command prompt, type the following commands to configure session reuse and verify the configuration:
- set ssl vserver <vServerName> -sessReuse ( ENABLED | DISABLED ) -sessTimeout <positive_integer>
- show ssl vserver <vServerName>
Configure session reuse by using the configuration utility
- Navigate to .
- Select the virtual server for which you want to customize SSL settings, and then click Open.
- On the SSL Settings tab, click SSL Parameters.
- In the Configure SSL Params dialog box, specify values for the following parameters:
- Enable Session Reuse*
- Time-out
* A required parameter
- Click OK, and in the Configure Virtual Server (SSL Offload) dialog box, click OK.
Note: High CPU issues can be seen on ADC VPX appliances using 4k certificates if session reuse is disabled for long periods as the absence of SSL cards and bigger certificate size leads to heavy consumption of CPU cycles for processing SSL traffic.
Issue/Introduction
