Home / server / Questions / 345891
Accepted
Sabya
Asked: 2012-01-03 06:19:53 +0800 CST

How should I check if SSL session resumption is working or not?

  • 772

I'm using nginx, and want to implement SSL session resumption. How should we I test if it is working?

I have enabled these settings:

ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;
ssl nginx https

2 Answers

  1. You can use openssl to test locally :

    openssl s_client -connect example.com:443 -reconnect -no_ticket -servername example.com

    -servername is required for SNI, and may be ignored otherwise

    Or :

    openssl s_client -connect example.com:443 -no_ticket -sess_out /tmp/ssl_s -servername example.com
openssl s_client -connect example.com:443 -no_ticket -sess_in /tmp/ssl_s -servername example.com

    (The -no_ticket option is needed to disable client-side TLS session tickets which also allow session resumption but is a different setting in nginx, and limit the test to the server-side SSL session caching the OP's configuration controls.)

    For the first command you'll get output like this :

    drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

    For the last one, you'll get this in case of session resumption:

    SSL handshake has read 142 bytes and written 583 bytes
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

    or this in case of failure:

    SSL handshake has read 5855 bytes and written 722 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384

    You can see the handshake is way bigger when it's new.

    • 26
  2. Best Answer

    I'm not sure of a way to test locally, but if your site is public, ssllabs provide a nice testing tool:

    https://www.ssllabs.com/ssldb/index.html

    • 10