I scanned my servers' SSL/TLS configuration using https://www.ssllabs.com/ssltest/, and it reported Session resumption (caching) No (IDs assigned but not accepted)
I'm using 2 instances of Azure web roles behind a round-robin load balancer. I believe session resumption got broken due to the session IDs being cached on one server but not on the other.
How do I configure IIS to use a shared cache (preferably Redis) for it's session IDs?
Update:
There does not seem to be a way to share session cache. However, Windows Server 2012 R2 seems to support stateless (ticket-based) session http://technet.microsoft.com/en-us/library/hh831771.aspx#BKMK_Changes2012R2.
Tried setting HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\MaximumCacheSize to 0, as stated in http://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_IssuerCacheSize to disable session cache, but there's no effect.
Tried enabling ticket-based session with New-TlsSessionTicketKey and Enable-TlsSessionTicketKey (http://technet.microsoft.com/en-us/library/dn296629.aspx), but there's also no effect.
Anyone managed to get those settings to work?
Update 2:
Successfully disabled session cache by setting both
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\MaximumCacheSize to 0
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ServerCacheTime to 0
and restarting the server
Still unable to get tickets to work despite running the Enable-TlsSessionTicketKey command for IIS AppPool\{app pool GUID}
and Network Service
Best Answer
Finally, found way to enable TLS session tickets on win2k12 r2 and win2k16. You need to follow these steps:
Create a key (
DWORD
) in registry with value 1HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableSslSessionTicket
Create a new TLS session ticket key through this powershell command:
New-TlsSessionTicketKey -Password <password> -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System" https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/new-tlssessionticketkey
Enable TLS session ticket key through this powershell command:
Enable-TlsSessionTicketKey -Password <password> -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System" https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/enable-tlssessionticketkey
Reboot the server to enable TLS session ticket generation. Reboot is required for the registry entry to take effect.
IMPORTANT: To re-use same TLS session tickets across load balanced servers, you need to copy "
C:\KeyConfig\TlsSessionTicketKey.config
" file generated after running "New-TlsSessionTicketKey
" command on one of the servers and then copy the config file on all remaining servers and run "Enable-TlsSessionTicketKey
" powershell command on each file. Unfortunately this worked for me only on win2k16. It did not work on win2k12r2.