Jump to content
Welcome to our new Citrix community!

Rewrite policy doesn't work when SSL session resumption on NetScaler VPX


Recommended Posts

Hello specialists,

We have one issue with rewrite policy for SSL transactions on NetScaler. Can you please help if someone would know resolution or causes. Thank you in advance.

<Environment>
- Citrix NetScaler VPX 12.1 Build 48.13.nc
- Load balancing for SSL transactions with GSLB and with high-availability 2 nodes.
- SSL transactions need client authentification with client certificate.
- Configured with rewrite policy for requests to add customer header from client certificate.
- The rewrite policy is binded with lb vserver and the custom header is used for session persistence like '-persistenceType RULE -rule "HTTP.REQ.HEADER(\"<custome header name>\")"'.
- sessReuse option for ssl profile is configured with ENABLED.


<Issue>
ONLY when re-used sessions by sessReuse option, rewrite policy doesn't work and our custom header isn't added to requests.
We identified this behavior by analyzing packet capture and we changed sessReuse option with DISABLED, as temporary solution, as to perform full SSL/TLS handshake every time and it works.

 

<What we want to know>
We couldn't find any published knowledge/documentation which state a relation between a trigger of rewrite policy and a behavior of re-using SSL/TLS session.

Is there a way which will work rewrite policy also when re-used SSL/TLS session ?
OR
Does someone have technical description of NetScaler design and/or implementation with these behaviors ? 
 

Regards,

Link to comment
Share on other sites

With Client Authentication enabled on an SSL virtual server, the NetScaler appliance asks for the Client Certificate during the SSL handshake.

the SSL reuse consists of a partial handshake because the client sends the SSL ID with the request

 

Because of these i think you have your issue. Also i think the only solution is the one you already use: disable sessReuse.

 

Link to comment
Share on other sites

5 hours ago, Mihai Cziraki1709160741 said:

With Client Authentication enabled on an SSL virtual server, the NetScaler appliance asks for the Client Certificate during the SSL handshake.

the SSL reuse consists of a partial handshake because the client sends the SSL ID with the request

 

Because of these i think you have your issue. Also i think the only solution is the one you already use: disable sessReuse.

 

 

Thank you so much for your comment, Mihai-san.

I understand a behavior of SSL reuse and handshake. But, I couldn't make sense why rewrite action didn't work when partial handshake ( session reuse).

I would like to thank you If you would write down such infomation. ( If you have anything. )

Link to comment
Share on other sites

On 2019/6/11 at 9:19 PM, Mihai Cziraki1709160741 said:

 

Sorry for my insufficient statement. I do understand SSL session reuse and handshake behavior in RFC. I don't get how SSL session reuse/handshake will be related to rewrite action policy on NetScaler.

Though you didn't mention clearly in your reply, do you say either below ?? If so, is it based on just your experience OR based on any NetScaler official knowledge ??

- Rewrite action policy function on NetScaler will work ONLY when full-handshake with SSL/TLS session.

- When partial handshake with session reuse, rewrite action policy on NetScaler can't pull any attributes from client certificate, then rewrite policy will not work to add custom header.

 

Regards,

Link to comment
Share on other sites

On 2019/6/18 at 3:18 PM, Mihai Cziraki1709160741 said:

it is based on the article i 've shared with you and experience.

If you have a rewrite policy that needs some data form the ssl negotiations then only when these negotiations take place your policy can add teht http header.

I think I understood your answer properly. ok, thank you.

Will close this thread as more answer/information from others will not be added.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...