Thursday, January 17, 2008

SSL session reuse - how to find if supported?

Before I delve deeper, its a good idea to be clear about SSL session reuse. Every time when a client (browser, curl, etc.) connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).

When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.

Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.

But when there is more than one server behind a load balancer, and the client connects only to the load balancer, there is a likelihood that the load balancer forwards second connection to a different server. But luckily, most of the load balancers today can be configured to provide the SSL session stickiness, and hence they will forward the request properly. From my understanding, most of the load balancers achieve SSL session stickiness through IP stickiness.

The question is: how to find out if a server supports SSL session reuse? Or, if you are hitting load balancer, how to find out if the load balancer maintains SSL session stickiness?

OpenSSL has a useful application called "s_client" which can be used to find out if SSL session is supported. The following command will do the magic:
openssl s_client -reconnect -state -prexit -connect ServerURL
The important option here is "-reconnect". It will disconnect and reconnect to the server 5 times using the same SSL session ID, that came in the first Server Hello message. It will print each time if the same session ID is reused or a new session ID is sent in the Server Hello message.

5 comments:

pbrao said...

Very useful tip. Exactly what I was looking for. Thanks.

Anonymous said...

Hmmm. Is there anyway to get this to work while changing the timing?

I need to test persistence based on the SSL Session ID (for one of those load balancers you mentioned), but I need to vary the interval (say, at 5, 10, 30 and 300 seconds).

Anonymous said...

good explanation. I am exactlying look for this to test session id resuse

Anonymous said...

You can also use the following:
openssl s_client -connect HOSTNAME:PORT -sess_out new.sess

This will export the used ssl session to a file
Than you can use
penssl s_client -connect HOSTNAME:PORT -sess_in new.sess

to reuse the session from before.

Ron

JJ said...

magician, I found what I need, tnx lot ;-)