Last Modified: Oct 19, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1
Fixed In:
17.0.0
Opened: Feb 24, 2021 Severity: 4-Minor
The iRule command "SSL:session invalidate" allows session resumption to happen. Session resumption not supposed to occur when this iRule command is used in an iRule.
Session resumption would happen where the iRule is used with "SSL:session invalidate" included which is not supposed to occur
"SSL:session invalidate" is used in the iRule event HTTP_REQUEST
Session resumption should be disabled in SSL profiles
SSL::Session invalidate will now properly remove the current session information from the session cache.