TLS Sessions and Resumption

A TLS session represents a secure communication context established between a client and a server. It includes shared secret values such as symmetric encryption keys and MAC secrets, which allow the peers to communicate efficiently after the initial handshake. Reusing an existing session, rather than negotiating a new one, avoids repeating the computationally expensive asymmetric cryptographic operations required during the handshake.

Session Resumption Mechanisms

Different TLS versions use different mechanisms for session resumption:

The Role of sessiond

sessiond is designed specifically for environments that still use session IDs. It allows a cluster of SSL/TLS servers to share their session caches, preventing each node in the cluster from negotiating a separate session. This improves both performance and scalability when session IDs are in use.

However, because modern TLS (1.3 and later) no longer supports session IDs, sessiond is only relevant for legacy deployments that continue to rely on TLS 1.2 or earlier.

Configuration

sessiond accepts a port number as a parameter; the default is 54321.

The session timeout is currently hardcoded to 200 ms, which is a reasonable value to ensure uninterrupted operation in case of a sessiond server failure or a lost packet.

Security Considerations

Traffic between stunnel and sessiond is not encrypted, as the network infrastructure within a cluster is generally considered trusted.

Infrastructure security requirements:

Best Practices

For new deployments, TLS 1.3 with session tickets is the recommended approach. Session tickets eliminate the need for a shared session cache and simplify scaling in clustered environments. They also provide better long-term support and security compared to legacy session ID mechanisms.

sessiond should only be used when compatibility with older TLS versions (TLS 1.2 or earlier) is required.

Our supporters:
Go to the top