Skip to main content

3.4. TLS Session Resumption

If TLS session resumption is used, care ought to be taken to do so safely. In particular, when using session tickets [RFC5077], the resumption information MUST be authenticated and encrypted to prevent modification or eavesdropping by an attacker. Further recommendations apply to session tickets:

  • A strong cipher suite MUST be used when encrypting the ticket (as least as strong as the main TLS cipher suite).

  • Ticket keys MUST be changed regularly, e.g., once every week, so as not to negate the benefits of forward secrecy (see Section 6.3 for details on forward secrecy).

  • For similar reasons, session ticket validity SHOULD be limited to a reasonable duration (e.g., half as long as ticket key validity).

Rationale: session resumption is another kind of TLS handshake, and therefore must be as secure as the initial handshake. This document (Section 4) recommends the use of cipher suites that provide forward secrecy, i.e. that prevent an attacker who gains momentary access to the TLS endpoint (either client or server) and its secrets from reading either past or future communication. The tickets must be managed so as not to negate this security property.

Last updated on