Session ID Reuse in libcurl
Date: Mon, 28 Nov 2016 12:22:58 +0000
I've recently been undertaking some TLS performance investigation, and
as part of this I've been trying to understand how features like Session
ID reuse improve the set-up time of new TLS connections. I'm using the
libcurl multi interface in an existing application, and I'm trying to
request resources from two hostnames which resolve to the same server,
and the Subject Alternate Name in the server certificate is wildcarded
for both hosts.
However, I seem to be having issues actually getting Session ID Reuse to
work in my tests. When I capture the packets going out, every Client
Hello message does not have a Session ID, even though previous Server
Hellos from that host have supplied Session IDs. I'm using curl 7.51.0
alongside the following SSL libraries:
NSS 3.27.1 (NSPR 4.13.1)
I'm building both curl and the SSL library manually and not relying on
package-manager supplied versions so it should be reproducible on other
targets that I'm planning to test this on. I'm building this on a Ubuntu
16.04 host at present.
If I use the Ubuntu-supplied libcurl/7.47.0 and GnuTLS/3.4.10 versions,
I get the same result of no Session ID reuse but an older CentOS 7 box
running libcurl/7.29.0 and NSS/3.19.1 does reuse Session IDs correctly.
Am I missing an option when I'm building curl and/or my SSL libraries?
I'm mostly using defaults with the exception of specifying --without-ssl
--with-$SSL_LIB for the different SSL libraries and --prefix to install
into some testing directories.
I have spotted issue #1109 on the curl github page, which specifically
singles out GnuTLS but I'm having issues with all of the above SSL
libraries that I'm testing.
- application/pgp-signature attachment: OpenPGP digital signature