TLS session resumption for origin connections


#1

Is it supported? or TLS false start? what is the difference between the two?


#2

TLS session resumption and TLS tickets are both supported and used if the origin allows.

TLS False Start is a timing improvement in handshakes without TLS session resumption/tickets.

Keep in mind that we try to keep connections to origin open as long as possible and reuse them for as many requests as we can. So if you setup long keep-alive timeouts on your origin (and stateful firewalls/NAT boxen in between) there shouldn’t be too many handshakes to start.

Given that we do support TLS session resumption and tickets, TLS False Start to origin would not gain us much, if anything. Also, we use OpenSSL to connect to origin, and it does not support TLS False Start at this point. With early-data and 0-RTT being worked on, I doubt False Start will ever make it into OpenSSL.

As an aside, while TLS session resumption and TLS tickets make a difference in your origin’s CPU usage for handshakes, TLS False Start only improves timing in the case where there is no session to resume or ticket to use.