Reuse SSL Sessions

G5 Cyber Security

1 week ago

TL;DR

Repeatedly establishing full SSL handshakes for each connection is slow and inefficient. This guide shows you how to configure your server (e.g., Apache, Nginx) or client application to reuse existing SSL sessions, significantly speeding up connections.

How it Works

SSL session resumption allows a client and server to skip the full handshake process for subsequent connections. The server stores information about past handshakes (session ID). When a client reconnects with the same session ID, the server can quickly re-establish the connection without repeating expensive cryptographic operations.

Server Configuration

Apache: Edit your Apache configuration file (e.g., httpd.conf or ssl.conf). Ensure these directives are present and configured appropriately:
```
SSLSessionCache shmfile /var/cache/mod_ssl/ssl_session_cache timeout=3600 maxSessions=1000
SSLSessionTickets Enabled on
SSLSessionTickets Lifetime 3600
```
- SSLSessionCache: Specifies where to store session data. Adjust the path and size (maxSessions) as needed.
- SSLSessionTickets: Enables a more modern, efficient session resumption mechanism.
Restart Apache after making changes: sudo systemctl restart apache2
Nginx: Edit your Nginx configuration file (e.g., nginx.conf). Add or modify these directives within the server block:
```
ssl_session_cache shared:SSL:10m;
session_tickets on;
session_ticket_key '$SSL_CERT_FILE';
ssl_session_timeout  10m;
```
- ssl_session_cache: Defines a shared memory zone for session data. 10m allocates 10MB.
- session_tickets on: Enables session tickets.
- session_ticket_key: Specifies the key used to encrypt session tickets (usually your SSL certificate file).
- ssl_session_timeout: Sets the session timeout duration.
Restart Nginx after making changes: sudo systemctl restart nginx

Client Configuration

Most modern clients (browsers, applications using TLS/SSL libraries) automatically support session resumption. However, you might need to explicitly enable it in some cases.

Python (Requests Library):

The requests library generally handles session persistence well if you reuse the same Session object for multiple requests to the same host.

import requests

s = requests.Session()
s.get('https://example.com') # First request - handshake occurs
s.get('https://example.com') # Subsequent requests - session resumption likely used

Java (HttpClient): Ensure you are using a connection manager that supports session caching.

Using PoolingHttpClientConnectionManager is recommended:

CloseableHttpClient client = HttpClients.createDefault(); // or custom configuration with PoolingHttpClientConnectionManager

cURL: cURL usually reuses sessions automatically if you use the same connection parameters.

You can explicitly enable session resumption using the --session option to save and load a session:

curl --session /tmp/curl_session https://example.com
curl --session /tmp/curl_session https://example.com

Testing Session Resumption

Wireshark: Use a network packet analyzer like Wireshark to capture SSL handshake packets. A full handshake will show a complete negotiation process (Client Hello, Server Hello, Certificate exchange, etc.). Session resumption will show a much shorter exchange, typically involving only a few packets.
Server Logs: Check your server logs for messages related to session caching or ticket usage. These logs can confirm whether session resumption is enabled and working correctly.