IIS 7 and Above
How to enable TLS session resumption or Optimize TLS handshake on Wi...
Last post Sep 10, 2018 09:12 AM by deepakpanchal10
Sep 05, 2018 04:30 PM|twinklekumar|LINK
We are facing issue on windows 2016. The issue is when more than 15-20 users request token the W3wp (IIS 10) and lsass.exe using 100% CPU. By monitoring using WPA and Network Monitor we saw TLS handshake happening for each request.
I have checked numerous articles which mentioned about getting better performance with TLS session resumption. I don't get clear answer how to do enable TLS session resumption in IIS 10 on Windows 2016.
Is TLS session resumption related to high CPU? What I mean to say is if we implement TLS session resumption will it affect CPU usage?
Sep 06, 2018 02:31 AM|deepakpanchal10|LINK
To enable TLS session tickets on win2k12 r2 and win2k16, you need to follow these steps:
Create a key (DWORD) in registry with value 1 HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableSslSessionTicket
Create a new TLS session ticket key through this powershell command: New-TlsSessionTicketKey -Password -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System" https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/new-tlssessionticketkey
Enable TLS session ticket key through this powershell command: Enable-TlsSessionTicketKey -Password -Path "C:\KeyConfig\TlsSessionTicketKey.config" -ServiceAccountName "System"https://technet.microsoft.com/en-us/itpro/powershell/windows/tls/enable-tlssessionticketkey
Reboot the server to enable TLS session ticket generation. Reboot is required for the registry entry to take effect.
How do I enable ALPN and TLS session resumption (client tickets) in Windows Server 2012 R2
Sep 06, 2018 01:43 PM|twinklekumar|LINK
Thanks for information to create session ticket.
1) Isn't the session ticket is considered as vulnerability?
2) How long this ticket valid?
3) Is the path always C:\ (I don't think so)?
4) Can I create a hidden folder and underneath that I will create KeyConfig, will that work?
Sep 06, 2018 02:20 PM|twinklekumar|LINK
One more question
1) How to know whether TLS resumption really enabled? I have checked the config file access date but it's not changed.
Sep 10, 2018 09:12 AM|deepakpanchal10|LINK
You had asked several questions.
In the case of Session Tickets, the session-ticket encryption key is the weak point, as it could be stolen and used to decrypt the session ticket (blob) sent by the server (or by the client on session resumption). With the information within the session
ticket an adversary can easily decrypt the actual communication between client and server (their DH exchanged secret keys).
one should change the key for Session Tickets periodically. If both are only valid for 24 hours, the attacker can only decrypt a maximum of 24 hours of network communication. For example, Twitter rotates their Session Ticket encryption key every 12
hours, Cloudflare even every hour.
it is important to not store the keys or session cache on hard disks, but only in memory, as they may be recoverable from the hard disks via forensic analysis otherwise. So path can vary.
I think it is not an accurate solution for this, As anyone can easily make the folder visible again.
5) How to know whether TLS resumption really enabled?
You can try to use site below to check whether TLS resumption enabled or not.
Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites;
therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from the Internet.