Configure IIS 8.5 TLS session resumption?

2

1

We have a couple of IIS 8.5 web servers running on Server 2012 R2 with SSL/TLS enabled.

One important new feature in IIS 8.5 is support for TLS session resumption. This is great because it reduces the TLS negotiation traffic from two RTT's to one. We're working on some data reduction for a service we have, so this is critical.

The great news is that it seems to 'just work' in IIS 8.5 after binding https traffic and attaching the certificate. We see the TLS handshake on the first request and on subsequent requests we just see the data being exchanged.

Does anyone know:

  • What is the default timeout for TLS session resumption in IIS 8.5?
  • How can I adjust and configure this timeout?

For more info about TLS session resumption in Server 2012 R2 please this Microsoft doc: https://technet.microsoft.com/en-us/library/hh831771.aspx

Also: If someone could create and tag this with "iis-8.5" that would be much appreciated. I don't have enough points on SuperUser to create tags.

Thank you!

Edit: I did a bit more testing. This does not appear to be dependent on the application pool. Starting, stopping, and recycling the app pool didn't cause the TLS handshake to reoccur. However restarting the site in IIS (as presumed) does trigger a re-handshake.

cvocvo

Posted 2016-04-08T19:23:40.560

Reputation: 121

Answers

0

Jean Sun on the iis.net forums pointed me in the right direction and then I did some more experimentation of which you'll see below. I'm answering and marking this as the answer here so there is some more information available for this. Here are the posts from there (https://forums.iis.net/p/1231668/2119245.aspx)

Jean Sun's Post

Hi,

Please try Setting the SSL Cache Time-out Interval, you can find how to do it in the following link.

https://technet.microsoft.com/en-us/library/cc781248(v=ws.10).aspx

Best Regards,

Jean

My Post Back with Further Details

Bingo. That is the setting. Thank you!

Do you know what is a safe and recommended value if I'm expecting to have a few thousand connections every few minutes 24/7? It'd be the same clients connecting every few minutes.

Also for this to work do you know if it's required that the client uses / send keep-alive packets? I don't want to have the clients do that.

Edit: See note below. It appears that keep alive packets are required, but data savings per server request still occurs if you make more than one request every (roughly) 14 minutes (from my experience).

Best,

Chris

Edit: After looking at the traffic again in Wireshark it appears the TCP keep-alive packets are being sent with or without the registry key being set. So I disabled keep-alive in IIS and it broke this functionality, regardless of the registry key being configured. It appears that TLS keep-alive is a core tenant of TLS resumption.

In case anyone else needs to know, the TCP keep alive packets are 55 bytes (440 bits) in size. From my observation, these are sent roughly every 45 seconds over the max timeout of the SCHANNEL cache.

One other peculiar behavior:

I set the SCHANNEL cache in the registry to 2 minutes. Before I set this on Server 2012 R2 I was experiencing roughly 2 hours of cache time before the SSL/TLS handshake re-occurred.

After removing the registry key, IIS still appears to be referencing this two-minute caching value even after a server restart. So it appears after setting this value you need to increase/decrease this time as desired, because you won't be able to go back to the server default value state without it being explicitly set that way.

cvocvo

Posted 2016-04-08T19:23:40.560

Reputation: 121

Asked: 2016-04-08T19:23:40.560

Viewed: 2 087 times

Active: 2016-04-25T14:00:48.630