Citrix

Product Documentation



Download full document

Support for TLS Session Ticket Extension

Dec. 22, 2016

Note

This feature was introduced in release 11.1 build 51.x.

An SSL handshake is a CPU-intensive operation. If session reuse is enabled, the server/client key exchange operation is skipped for existing clients. They are allowed to resume their sessions. This improves the response time and increases the number of SSL transactions per second that a server can support. However, the server must store details of each session state, which consumes memory and is difficult to share among multiple servers if requests are load balanced across servers.

NetScaler appliances support the SessionTicket TLS extension. Use of this extension indicates that the session details are stored on the client instead of on the server. The client must indicate that it supports this mechanism by including the session ticket TLS extension in the client Hello message. For new clients, this extension is empty. The server sends a new session ticket in the NewSessionTicket handshake message. The session ticket is encrypted by using a key-pair known only to the server. If a server cannot issue a new ticket at this time, it completes a regular handshake.

This feature is available only in front-end SSL profiles, and only at the front end of communication in which the NetScaler appliance acts as a server and generates session tickets. To learn more about front-end SSL profiles, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-profiles1.html.

Limitations

  • This feature is not supported on a FIPS platform or in a cluster setup.
  • This feature is supported only with TLS versions 1.1 and 1.2.

To enable TLS session ticket extension by using the NetScaler CLI

At the command prompt, type:

set ssl profile <name> -sessionTicket (ENABLED | DISABLED ) [-sessionTicketLifeTime <positive_integer>

To enable TLS session ticket extension by using the NetScaler CLI

At the command prompt, type:

set ssl profile <name> -sessionTicket (ENABLED | DISABLED ) [-sessionTicketLifeTime <positive_integer>

Arguments

sessionTicket

State of TLS session ticket extension. Use of this extension indicates that the session details are stored on the client instead of on the server, as defined in RFC 5077.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sessionTicketLifeTime

Specify a time, in seconds, after which the session ticket expires and a new SSL handshake must be initiated. 

Default value: 300

Minimum value: 0

Maximum value: 172800

sessionTicket

State of TLS session ticket extension. Use of this extension indicates that the session details are stored on the client instead of on the server, as defined in RFC 5077.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sessionTicketLifeTime

Specify a time, in seconds, after which the session ticket expires and a new SSL handshake must be initiated. 

Default value: 300

Minimum value: 0

Maximum value: 172800

Example Copy

> add ssl profile profile1 -sessionTicket ENABLED -sessionTicketlifeTime 300

 Done

To enable TLS session ticket extension by using the NetScaler GUI

  1. Navigate to System > Profiles. Select SSL Profiles.
  2. Click Add and specify a name for the profile. 
  3. Select Session ticket
  4. Optionally, specify Session Ticket Lifetime (secs).

 

Back to Top