SSL session id affinity

[nyov]

I am using pound in an SSL-offloading proxy capacity and have been wondering if it is possible to have access to the client-side connections' SSL session-ID either as a header like the other X-SSL-* headers, for use in pound's Session config, or both?

From what I have read[1], it should be possible to uniquely identify client connections with the SSL session ID or from TLS tickets (even behind NAT devices, unlike IP), and it would be nice to have that information exposed for load-balancer backend pinning and perhaps to backend services (for added session security in combination with client IP and other info).

HAproxy seems to have such an option (SSLID) according to this blog post. In Apache mod_ssl, this is available as the SSL_SESSION_ID and SSL_SESSION_RESUMED env variables.

[1] Related information: http://discourse.haproxy.org/t/ssl-load-balancing-with-session-affinity/86/3 https://security.stackexchange.com/q/48856 https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/