DX - Load Balancing & Application Acceleration
DX - Load Balancing & Application Acceleration

SSL Clientauth - time to authenticate

‎09-26-2008 06:29 AM

Hi,

 

I'm using for a specific configuration an SSL cluster with Listen-SSL-Client authentication enable (authenticate via SSL client certificate).

After the 3-way TCP handshake, the DX requests the client to authenticate with a client certificate. Is there a 'timeout' configured/configurable for the authentication to occur before closing the TCP connection (to avoid DOS attacks by not showing the certificate) ?

 

Thanks,

Michel

1 REPLY 1
DX - Load Balancing & Application Acceleration
Solution
Accepted by topic author MichelVDH
‎08-26-2015 01:27 AM

Re: SSL Clientauth - time to authenticate

‎10-06-2008 05:05 AM

There is no configurable setting to timeout SSL client authentication for clusters/forwarders.   Once a TCP session is established to a cluster/forwarder the DX will keep the connection open, even if no HTTP request is sent.    If the connection count is getting near the maximum allowed connections the DX performs reaping cycles and closes connections it deems to be idle, to free up resources.

 

For SLB/ActiveN groups, there are configurable timers:

 

Possible arguments for "set slb session timeout":
ackwait              set global SLB Ack-Wait timeout
active               set global SLB active session timeout
closewait            set global SLB Fin-Wait session timeout

 

Three purge criteria can be used to end a session:

􀂄 ackwait: Three way TCP handshake has not completed within specified time

(default is 6 seconds).

􀂄 active: No active sessions are present within the specified time (default is 90

seconds).

􀂄 closewait: Sessions are terminated by the client (default is 12 seconds).

 

 

TCP Keep-alives can also be enabled with factory settings to test conections, to see if they have been closed silently by the client and/or target server.

Announcements

DX SERIES

The Juniper Networks DX application acceleration platform delivers a complete data center acceleration solution for Web-enabled and IP-based business applications.

RSS Icon