Jump to content
Welcome to our new Citrix community!

HTTP request body size limit during SSL renegotiation


Recommended Posts

Hi,

 

We have several policies in place that enable mutual TLS for certain paths, e.g.:

 

add ssl action TEST.act -clientAuth DOCLIENTAUTH

add ssl policy TEST-pol -rule "REQ.HTTP.URL CONTAINS /api/services" -action TEST.ACT

 

This means that SSL renegotiation always occurs for these requests. Everything works correctly until request body gets beyond ~70kb in size, which is nothing unusual when posting XMLs. If we get beyond this size, Netscaler drops the request and lets it time out.

 

We had this issue few years ago back when we were terminating SSL on Apache. We found out that Apache needs to store the request somewhere while SSL renegotiation is ongoing and this is called SSL Renegotiation buffer, which is limited in size and can be extended by altering SSLRenegBufferSize parameter.

 

From Apache Docs:

Quote

If an SSL renegotiation is required in per-location context, for example, any use of SSLVerifyClient in a Directory or Location block, then mod_ssl must buffer any HTTP request body into memory until the new SSL handshake can be performed. This directive can be used to set the amount of memory that will be used for this buffer.

 

Now I believe that we are experiencing the same thing on Netscaler - I went through what documentation I could and I still can't find anything describing this behavior on Netscaler. The request MUST be stored somewhere during the renegotiation and it MUST be limited for safety reasons.

 

We are running ADC 11.1.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...