Bug ID 997357: iRule command "SSL:session invalidate" not working as expected

Last Modified: Oct 04, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1

Fixed In:
17.0.0

Opened: Feb 24, 2021

Severity: 4-Minor

Symptoms

The iRule command "SSL:session invalidate" allows session resumption to happen. Session resumption not supposed to occur when this iRule command is used in an iRule.

Impact

Session resumption would happen where the iRule is used with "SSL:session invalidate" included which is not supposed to occur

Conditions

"SSL:session invalidate" is used in the iRule event HTTP_REQUEST

Workaround

Session resumption should be disabled in SSL profiles

Fix Information

SSL::Session invalidate will now properly remove the current session information from the session cache.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips