TL;DR
Repeatedly establishing full SSL handshakes for each connection is slow and inefficient. This guide shows you how to configure your server (e.g., Apache, Nginx) or client application to reuse existing SSL sessions, significantly speeding up connections.
How it Works
SSL session resumption allows a client and server to skip the full handshake process for subsequent connections. The server stores information about past handshakes (session ID). When a client reconnects with the same session ID, the server can quickly re-establish the connection without repeating expensive cryptographic operations.
Server Configuration
- Apache: Edit your Apache configuration file (e.g.,
httpd.conforssl.conf). Ensure these directives are present and configured appropriately:SSLSessionCache shmfile /var/cache/mod_ssl/ssl_session_cache timeout=3600 maxSessions=1000 SSLSessionTickets Enabled on SSLSessionTickets Lifetime 3600SSLSessionCache: Specifies where to store session data. Adjust the path and size (maxSessions) as needed.SSLSessionTickets: Enables a more modern, efficient session resumption mechanism.
Restart Apache after making changes:
sudo systemctl restart apache2 - Nginx: Edit your Nginx configuration file (e.g.,
nginx.conf). Add or modify these directives within theserverblock:ssl_session_cache shared:SSL:10m; session_tickets on; session_ticket_key '$SSL_CERT_FILE'; ssl_session_timeout 10m;ssl_session_cache: Defines a shared memory zone for session data.10mallocates 10MB.session_tickets on: Enables session tickets.session_ticket_key: Specifies the key used to encrypt session tickets (usually your SSL certificate file).ssl_session_timeout: Sets the session timeout duration.
Restart Nginx after making changes:
sudo systemctl restart nginx
Client Configuration
Most modern clients (browsers, applications using TLS/SSL libraries) automatically support session resumption. However, you might need to explicitly enable it in some cases.
Python (Requests Library):
The requests library generally handles session persistence well if you reuse the same Session object for multiple requests to the same host.
import requests
s = requests.Session()
s.get('https://example.com') # First request - handshake occurs
s.get('https://example.com') # Subsequent requests - session resumption likely used
Using PoolingHttpClientConnectionManager is recommended:
CloseableHttpClient client = HttpClients.createDefault(); // or custom configuration with PoolingHttpClientConnectionManager
You can explicitly enable session resumption using the --session option to save and load a session:
curl --session /tmp/curl_session https://example.com
curl --session /tmp/curl_session https://example.com
Testing Session Resumption
- Wireshark: Use a network packet analyzer like Wireshark to capture SSL handshake packets. A full handshake will show a complete negotiation process (Client Hello, Server Hello, Certificate exchange, etc.). Session resumption will show a much shorter exchange, typically involving only a few packets.
- Server Logs: Check your server logs for messages related to session caching or ticket usage. These logs can confirm whether session resumption is enabled and working correctly.