1

I use Caddy (a webserver written in GO), I have TLS 1.0-TLS 1.2 allowed, and GO supports only the tickets option of session resumption (the TLS session data is stored on the client side).

Now I'm not quite sure about when the TLS resumption should occur. Regardless of ticket lifetime (which I think is a week by default) and Session Ticket Encryption Key (which are rotated every 10 hours and Caddy "remembers" the last 4) - so non of those should be the issue.

As far as I understand the session resumption should occur whenever the ticket is still valid and the browser hasn't been restarted, which means that even if I changed my IP address, the TLS ticket should still work. But that's not the case for me; when I access the webserver (using both Chrome and Firefox) I get a TLS ticket, which remains valid throughout surfs to that webserver, but when I change my IP address (either by proxy or changing WIFI) the ticket is not accepted on the server side and a full TLS handshake is made, in which I get a new ticket.

So my main question: does TLS session resumption only work within a TCP session and whenever a new TCP session is started the former TLS ticket becomes invalid?

RefaelF
  • 11
  • 2
  • 'Does TLS session resumption only work within a TCP session': no, but it only works between the same peers. – user207421 Feb 05 '20 at 09:57

1 Answers1

0

... does TLS session resumption only work within a TCP session

Given that there is almost always only a single TLS handshake in the TCP connection that would not make much sense.

Session resumption with tickets works as long as the client sends a session ticket and the server has the necessary secrets to extract the information from the ticket. The server might implement additional restrictions though, like encoding the client IP in the ticket and checking if it is still the same.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172