DataScript: avi.ssl.renegotiate

DataScript

Function avi.ssl.renegotiate()
Description This function is used to renegotiate TLS connection with the client after changing the PKI profile, mode and frequency based on factors like Client IP, TLS server name, HTTP host or URI etc.​
If client certificate authentication is enabled before the renegotiate API call, the PKI settings are applied on the SSL session renegotiation. HTTP request will be parked until renegotiation is complete.
SSL renegotiation will disable SSL session resumption on the connection.
Note: If using renegotiation after changing PKI settings on the connection, user's script must handle the result of the client authentication. Otherwise, the subsequent request on the TLS connection could fail. The script could either choose to clear the error or close the connection.
Events VS_DATASCRIPT_EVT_HTTP_REQ
VS_DATASCRIPT_EVT_HTTP_REQ_DATA
Parameter None
Returns None
Example To disable client certificate authentication

if string.contains(avi.http.get_uri(), \"secure\") then 
   avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE) 
   avi.ssl.renegotiate() 
   verify_err, error_code = avi.ssl.client_cert_verify_error()
    if  verify_err == 0 or (verify_err == 2 and error_code ~= 0) then
       avi.http.close_connection()
 end 
end 
Here, we are checking for a specific URI, then changing the PKI attributes and doing an SSL renegotiate. Then, if there is an error, close the connections.

Caveats

  • In case there is an error but you have decided not to close the connection, then rectify the error. If you do not clear the error, subsequent requests might go into a path where the DataScript is not hit and the native request flow closes the connection due to the error.

  • Renegotiation does not work with HTTP2 Protocol and TLS1.3 protocol.