When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
But when there is more than one server behind a load balancer, and the client connects only to the load balancer, there is a likelihood that the load balancer forwards second connection to a different server. But luckily, most of the load balancers today can be configured to provide the SSL session stickiness, and hence they will forward the request properly. From my understanding, most of the load balancers achieve SSL session stickiness through IP stickiness.
The question is: how to find out if a server supports SSL session reuse? Or, if you are hitting load balancer, how to find out if the load balancer maintains SSL session stickiness?
OpenSSL has a useful application called "s_client" which can be used to find out if SSL session is supported. The following command will do the magic:
openssl s_client -reconnect -state -prexit -connect ServerURLThe important option here is "-reconnect". It will disconnect and reconnect to the server 5 times using the same SSL session ID, that came in the first Server Hello message. It will print each time if the same session ID is reused or a new session ID is sent in the Server Hello message.