Product Documentation

Graceful Cleanup of SSL Sessions

Sep 01, 2016

Some operations, such as updating a certificate to replace a potentially exposed certificate, using a stronger key (2048-bit instead of 1024-bit), adding or removing a certificate to or from a certificate chain, or changing any of the SSL parameters, should clean the SSL sessions gracefully instead of abruptly terminating the sessions.

From build 64.x, existing SSL connections do not break if you update the SSL certificate, cipher list, or SSL parameters. That is, all existing connections continue using the current settings until the sessions are closed, but all new connections use the new certificate or settings. To clear the sessions immediately after a configuration change, you must disable and reenable each entity.

Important: Connections that are in the middle of a handshake, or sessions that are renegotiating, are terminated. Session reuse is not allowed. Additionally, session multiplexing reuse at the back end is not allowed.

If you change a front-end parameter, such as on an SSL virtual server, only the front end connections are affected. If you change a back-end parameter, such as a parameter on an SSL service or service group, only the back-end connections are affected. Changes such as ciphers and certificates apply to both front-end and back-end connections.

The following configuration commands or changes trigger a graceful session cleanup on all affected SSL entities:

  1. set ssl vserver command
  2. set ssl service command
  3. set ssl servicegroup command
  4. set ssl profile command
  5. set ssl cipher <cipherGroupName> command
  6. Binding, unbinding, and reordering ciphers
  7. Binding and unbinding ecccurves
  8. Inserting, removing, linking and unlinking a certificate