How to Optimize Apache SSL Session Cache?
Optimizing the SSL/TLS session cache in the Apache HTTP Server is a highly effective way to reduce CPU load and improve server response times. When a client establishes a secure connection, the cryptographic handshake consumes significant CPU cycles. By caching session parameters, subsequent requests from the same client can reuse the previous cryptographic material through session resumption, bypassing the heavy mathematical lifting of the full initial handshake. This article explores how SSL session caching works, the different cache types available in Apache, and best practices for configuring them to maximize performance.
Understanding SSL Session Resumption
Every new SSL/TLS connection requires a handshake where the server and client agree on encryption keys. This process involves asymmetric cryptography, which is notoriously CPU-intensive.
Apache supports two primary methods to mitigate this overhead:
- Session IDs (Server-Side Caching): The server stores the session states in a local cache and sends a unique Session ID to the client. On the next connection, the client presents this ID, and if Apache finds it in its cache, it resumes the session.
- Session Tickets (Client-Side Caching): The server encrypts the session state and sends it to the client as a ticket. The client stores it and sends it back later. This removes the storage burden from the server entirely.
While session tickets are highly efficient, combining them with a well-configured server-side session cache ensures optimal compatibility and performance across all browser types.
Choosing the Right Cache Mechanism
Apache uses the SSLSessionCache directive to define
where and how it stores session data. There are three main mechanisms
used depending on the scale of the deployment:
| Cache Type | Directive Syntax Example | Best Used For |
|---|---|---|
| socache_shmcb | shmcb:/path/to/datafile(512000) |
Single-server setups (High performance, memory-mapped) |
| socache_redis | redis://127.0.0.1:6379/1 |
Distributed, multi-server load-balanced environments |
| socache_memcache | memcache:127.0.0.1:11211 |
Shared caching across multiple frontend web servers |
For most standalone servers, shmcb (Shared Memory Cyclic Buffer) is the gold standard. It is incredibly fast because it utilizes a cyclic buffer inside a shared memory segment, meaning it never blocks and automatically overwrites old entries when full.
Step-by-Step Configuration for Apache
To optimize the cache and reduce your CPU load, you need to modify
your Apache configuration file (usually httpd.conf or
ssl.conf).
1. Enable the Session Cache Module
Ensure that the mod_ssl and the appropriate storage
module (like mod_socache_shmcb) are loaded:
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so2. Configure the SSLSessionCache Directive
Add or update the SSLSessionCache directive. Allocating
an appropriate size prevents the cache from thrashing and evicting
active sessions prematurely. A 512 KB cache can typically hold around
4,000 sessions.
SSLSessionCache "shmcb:/var/run/apache2/ssl_scache(512000)"3. Adjust the Cache Timeout
The SSLSessionCacheTimeout directive dictates how long
(in seconds) a session remains valid in the cache. If the timeout is too
short, clients will constantly trigger full handshakes. If it is too
long, you risk consuming memory on dead sessions.
A timeout of 5 to 10 minutes (300 to 600 seconds) strikes an ideal balance for high-traffic sites:
SSLSessionCacheTimeout 300Verifying and Monitoring the Performance
After applying the changes, restart Apache to apply the configuration:
sudo systemctl restart apache2To verify that the session cache is actively reducing your CPU load, you can use the OpenSSL benchmarking tool to test session resumption:
openssl s_client -connect localhost:443 -reconnectLook closely at the output. The first connection should show a full handshake, while the subsequent connections should explicitly state “Reused, TLSv1.3, Cipher is…”. If the session is successfully reused, your configuration is correct, and your CPU is no longer wasting cycles on redundant cryptographic handshakes.