An SSL handshake is a CPU-intensive operation. If session reuse is enabled, the server/client key exchange operation is skipped for existing clients. They are allowed to resume their sessions. This improves the response time and increases the number of SSL transactions per second that a server can support. However, the server must store details of each session state, which consumes memory and is difficult to share among multiple servers if requests are load balanced across servers.
NetScaler appliances support the SessionTicket TLS extension. Use of this extension indicates that the session details are stored on the client instead of on the server. The client must indicate that it supports this mechanism by including the session ticket TLS extension in the client Hello message. For new clients, this extension is empty. The server sends a new session ticket in the NewSessionTicket handshake message. The session ticket is encrypted by using a key-pair known only to the server. If a server cannot issue a new ticket at this time, it completes a regular handshake.
This feature is available only in front-end SSL profiles, and only at the front end of communication in which the NetScaler appliance acts as a server and generates session tickets. To learn more about front-end SSL profiles, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-profiles1.html.
To enable TLS session ticket extension by using the NetScaler CLI
At the command prompt, type:
set ssl profile <name> -sessionTicket (ENABLED | DISABLED ) [-sessionTicketLifeTime <positive_integer>
State of TLS session ticket extension. Use of this extension indicates that the session details are stored on the client instead of on the server, as defined in RFC 5077.
Possible values: ENABLED, DISABLED
Default value: DISABLED
Specify a time, in seconds, after which the session ticket expires and a new SSL handshake must be initiated.
Default value: 300
Minimum value: 0
Maximum value: 172800
To enable TLS session ticket extension by using the NetScaler GUI
- Navigate to System > Profiles. Select SSL Profiles.
- Click Add and specify a name for the profile.
- Select Session ticket.
- Optionally, specify Session Ticket Lifetime (secs).