Multiple TLS / SSL sessions originated between 2 Windows Servers (2012R2) sharing the same symmetric session keys - is this possible?

Question

I'm testing a scenario where 2 applications residing on 2 separate windows 2012r2 servers are opening N concurrent TLS1.2 mutual authentication sessions (using different certificates for the client authentication part) to the same server.

Due to the fact that all sessions are going through the same Schannel modules at client side as well at server side, I was wondering if it might be possible that the N sessions (or a subset) might be ending up sharing / using the same cryptographic material (i.e symmetric session keys) in a CPU processing optimization solution at server / client side.

Should this be the case, what would be the best way to verify this ?

I've tried to check in the RFC but I'm not 100% sure what is the expected protocol behavior under these specific circumstances.

Hope the description makes sense.

Thanks,

Answer 1

If they use a different client cert they can't share an SSL/TLS session, because the peer cert (and its status) is part of the security context.

Even if they can/could share a session and thus use the same master secret, the actual keys (plural) (and IVs if applicable) used on each connection are different because the per-connection nonces are used in the KDF, see F.1.4 in rfc5246 (same as 4346 and 2246).