I’ve got a short-lived client process that talks to a server over SSL. The process is invoked frequently and only runs for a short time (typically for less than 1 second). This process is intended to be used as part of a shell script used to perform larger tasks and may be invoked pretty frequently.
The SSL handshaking it performs each time it starts up is showing up as a significant performance bottleneck in my tests and I’d like to reduce this if possible.
One thing that comes to mind is taking the session id and storing it somewhere (kind of like a cookie), and then re-using this on the next invocation, however this is making me feel uneasy as I think there would be some security concerns around doing this.
So, I’ve got a couple of questions,
- Is this a bad idea?
- Is this even possible using OpenSSL?
- Are there any better ways to speed up the SSL handshaking process?
After the handshake, you can get the SSL session information from your connection with
SSL_get_session(). You can then usei2d_SSL_SESSION()to serialise it into a form that can be written to disk.When you next want to connect to the same server, you can load the session information from disk, then unserialise it with
d2i_SSL_SESSION()and useSSL_set_session()to set it (prior toSSL_connect()).The on-disk SSL session should be readable only by the user that the tool runs as, and stale sessions should be overwritten and removed frequently.