TLS Session Resumption in php

Question

I'm writing a multithreaded php client that makes a https requests to an apache reversed proxy and measures some statistics. I'm writing a bachelor thesis about improving the performance with TLS Session Resumption. Now I need to do a proof of concept that proves/disproves this. At the moment I have this code:

            $this->synchronized(function($this){
                $this->before = microtime(true);
            }, $this);

            $url = 'https://192.168.0.171/';
            # Some dummy data
            $data = array('name' => 'Nicolas', 'bank account' => '123462343');

            // use key 'http' even if you send the request to https://...
            $options = array(
                'http' => array(
                    'header' => "Content-type: application/x-www-form-urlencoded\r\n",
                    'method' => 'POST',
                    'content' => http_build_query($data)
                ),
                "ssl" => array(
                    "verify_peer" => false,
                    "verify_peer_name" => false,
                    "ciphers" => "HIGH:!SSLv2:!SSLv3"
                )
            );

            $context = stream_context_create($options);
            $result = file_get_contents($url, false, $context);
            $this->synchronized(function($this){
                $this->after = microtime(true);
            }, $this);

            $this->counter_group->write($this->before, $this->after, $result); 

This code works to do a full handshake, but I can't seem to figure out how to do an resumed handshake in php?

Any help would be greatly appreciated!

Answer 1

You can try PHP curl and use CURL_LOCK_DATA_SSL_SESSION

from PHP documentation http://php.net/manual/en/function.curl-share-setopt.php

CURL_LOCK_DATA_SSL_SESSION Shares SSL session IDs, reducing the time spent on the SSL handshake when reconnecting to the same server. Note that SSL session IDs are reused within the same handle by default

As you can read from the description above, the session id is reused by the same handle. But if you want to share between handles you can use curl_share_init for example

$sh = curl_share_init();
curl_share_setopt($sh, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
curl_share_setopt($sh, CURLSHOPT_SHARE, CURL_LOCK_DATA_DNS);

then you can reuse $sh between different requests

$ch1 = curl_init('https://192.168.0.171');
curl_setopt($ch1, CURLOPT_SHARE, $sh);
curl_setopt($ch1, CURLOPT_SSLVERSION, 6); // TLSV1.2
curl_setopt($ch1, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

curl_setopt($ch1, CURLOPT_POST, 1);
curl_setopt($ch1, CURLOPT_POSTFIELDS, 
http_build_query( array('name' => 'Nicolas', 'bank account' => '123462343') ));
curl_setopt($ch1, CURLOPT_RETURNTRANSFER, true);

$output = curl_exec($ch1);

and then reuse ( resumed handshake )

$ch2 = curl_init('https://192.168.0.171');
curl_setopt($ch2, CURLOPT_SHARE, $sh);
curl_setopt($ch2, CURLOPT_SSLVERSION, 6); // TLSV1.2
curl_setopt($ch2, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
// ( ... )
curl_exec($ch2);

and close connections

curl_close($ch1);
curl_close($ch2);

But you also need to play with CURLOPT_SSLVERSION and CURLOPT_SSL_CIPHER_LIST . Also, I think you should switch to a different language as PHP has its own quirks, and if you prove or disproves thesis, it's better to use something closer to bare metal so you are sure the extra layer (PHP) doesn't break your benchmarks. I did measure the performance of both requests and it's a bit counter-intuitive but the second one is almost twice slower.