How should I check if SSL session resumption is working or not?
I'm using nginx, and want to implement SSL session resumption. How should we I test if it is working?
I have enabled these settings:
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
I'm not sure of a way to test locally, but if your site is public, ssllabs provide a nice testing tool:
https://www.ssllabs.com/ssldb/index.html
You can use openssl to test locally :
openssl s_client -connect example.com:443 -reconnect -no_ticket -servername example.com
-servername
is required for SNI, and may be ignored otherwise
Or :
openssl s_client -connect example.com:443 -no_ticket -sess_out /tmp/ssl_s -servername example.com
openssl s_client -connect example.com:443 -no_ticket -sess_in /tmp/ssl_s -servername example.com
(The -no_ticket
option is needed to disable client-side TLS session tickets which also allow session resumption but is a different setting in nginx
, and limit the test to the server-side SSL session caching the OP's configuration controls.)
For the first command you'll get output like this :
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
For the last one, you'll get this in case of session resumption:
SSL handshake has read 142 bytes and written 583 bytes
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
or this in case of failure:
SSL handshake has read 5855 bytes and written 722 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
You can see the handshake is way bigger when it's new.