[RADIATOR] Suggestion: Support of TLS Session Resumption based on tickets and not just session IDs
Nadav Hod
nadav.hod at comm-it.co.il
Sun Oct 18 03:07:14 CDT 2015
Hi everyone,
Session Resumption as implemented by Radiator seems to work based on Session ID (connection caching at the server). I have not seen any session ticket fields in the exchanges so I'm guessing session tickets aren't implemented, feel free to correct me.
Session resumption with session IDs has a major limitation: servers are responsible for remembering negotiated TLS sessions for a given period of time. It poses scalability issues for servers with a large load of concurrent connections per second and for servers that want to cache sessions for a long time. Session ticket resumption is designed to address this issue.
OpenSSL supports Session Tickets as of OpenSSL 0.9.8h. It may be worth looking into. I'm not sure if session synchronization of tickets/cache between multiple servers is necessary for a AAA server (as opposed to a web server), but I imagine it may also provide a big performance boost in large deployments.
Feel free to give your thoughts on either issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20151018/6e8a74ef/attachment.html
More information about the radiator
mailing list