How to Verify SSL Session Resumption in Nginx: A Technical Testing Guide


3 views

SSL session resumption allows clients to reuse previously negotiated SSL parameters, reducing handshake overhead. In Nginx, this is controlled by two key directives:

ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;

Here are three reliable ways to verify if session resumption is working:

1. Using OpenSSL Command Line

The most straightforward method is using OpenSSL's s_client:

# First connection (establishes session)
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com > session1.log

# Second connection (attempts resumption)
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -sess_out session.sess > session2.log

Check the output for these indicators:

  • First connection: "New, TLSv1.3" (or similar)
  • Second connection: "Reused, TLSv1.3"

2. Wireshark Packet Analysis

Capture network traffic during two consecutive HTTPS requests:

  1. First request will show full TLS handshake
  2. Second request should show abbreviated handshake using session ID

3. Browser Developer Tools

Modern browsers provide SSL/TLS information:

  • Chrome: Security tab in Developer Tools
  • Firefox: Security tab in Network panel

For optimal session resumption:

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;  # For TLS 1.2 and below
ssl_buffer_size 4k;

If resumption isn't working:

  • Verify shared memory allocation is sufficient
  • Check for conflicting SSL directives
  • Test with different protocols (TLS 1.2 vs 1.3 behaves differently)

Properly configured session resumption can:

  • Reduce CPU usage by ~30-50% for repeat visitors
  • Decrease connection time by ~40-60%
  • Save bandwidth by avoiding full handshakes

When implementing SSL/TLS optimization in Nginx, session resumption is a crucial performance feature. The two directives you've configured (ssl_session_cache and ssl_session_timeout) create a shared memory zone for storing session parameters, allowing subsequent connections to skip the full TLS handshake.

Here are three effective ways to test if session resumption is working:

1. Using OpenSSL Command Line

# First connection (establishes session)
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

# Second connection (should resume session)
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -sess_out session.txt -reconnect

Look for these indicators in the output:

Reused, TLSv1.3 (successful resumption)

New, TLSv1.3 (new session created)

2. Wireshark Packet Analysis

Capture network traffic during two consecutive connections:

- First connection shows full TLS handshake (ClientHello, ServerHello, etc.)

- Subsequent connections should show abbreviated handshake with Session ID or Session Ticket extension

3. Nginx Logging /h2>

Add this to your Nginx configuration:

ssl_session_tickets on;
ssl_session_ticket_key /path/to/ticket.key;

log_format ssl_resumption '$remote_addr - $ssl_session_reused';
access_log /var/log/nginx/ssl_resumption.log ssl_resumption;

Issue: Sessions not being resumed despite configuration

Check:

- Ensure consistent SNI (Server Name Indication) usage

- Verify session timeout value is sufficient

- Check for interfering middleboxes (load balancers, CDNs)

Troubleshooting command:

nginx -T 2>&1 | grep ssl_session (verify effective configuration)

Compare handshake times with and without resumption:

# Full handshake timing
time curl -k -o /dev/null https://yourdomain.com

# Resumed session timing
time curl -k -o /dev/null https://yourdomain.com

Typical improvement: 50-70% reduction in handshake time for resumed sessions.

# For TLS 1.3 session tickets
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ticket.key;

# For TLS 1.2 session IDs
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 4h;