Back to all questions

How Can a CDN Improve SSL/TLS Performance?

Rostyslav Pidgornyi
March 15, 2024

A CDN, believe it or not, is the number one orchestrator behind good SSL/TLS performance. It does this by offloading the SSL/TLS handshake process to edge servers closer to the user, reducing latency and speeding up the secure connection establishment.

Aside from this main advantage, there are also several other avenues a CDN uses for boosting performance, each of which I’ll discuss below:

1. Session Resumption Capabilities

CDNs can enhance SSL/TLS performance by utilizing session resumption techniques, which allow repeat visitors to bypass the full handshake process when re-establishing a secure connection.

The following help in this regard, leading to quicker subsequent visits and a smoother user experience:

  • TLS Session IDs: This is a unique identifier assigned to a session when an SSL/TLS connection is first established between a client and a server. During the initial handshake, the server generates a session ID and sends it to the client through a certificate. If the client later attempts to reconnect, it presents this session ID. If the server recognizes this ID (indicating it has the session information stored), it can skip the full handshake.
  • TLS Session Tickets: These are an extension to the session ID mechanism. Instead of relying on the server to store session information, the server encrypts this information and sends it to the client as a "ticket" at the end of an initial secure session. When the client wants to reconnect, it sends back the session ticket. The server, equipped with the necessary keys to decrypt the ticket, can restore the session parameters without requiring a full handshake.

2. Optimized Connection Re-Use

Connection re-use is a mechanism where multiple requests between the same client and server use the same secure connection, reducing the overhead of establishing new connections.

CDNs are designed to maintain persistent connections where possible, which decreases latency and server load, leading to better performance for SSL/TLS connections, all without compromising CDN security.

3. Load Balancing for SSL/TLS Handshakes

During peak times, a lot of users might be trying to access a website, causing a high demand for secure (SSL/TLS) connections. 

Load balancing ensures that no single server gets overwhelmed by distributing the connection requests among several servers. 

This ensures that the SSL/TLS setup phase is handled efficiently, even under heavy load, maintaining optimal performance.

4. SSL/TLS Optimization and Configuration

Just as adjusting the engine settings can make the car go faster, choosing the right settings for SSL/TLS can make web connections more secure and efficient.

I’ve found the following SSL performance optimizations to work well:

Optimization Description
Cipher Suite Selection Choosing modern, efficient cipher suites that offer strong encryption without excessive overhead.
HTTP/2 Enablement Upgrading from HTTP/1.x to HTTP/2, which supports multiplexing and header compression.
TLS Version Upgrade Moving to the latest versions of TLS (e.g., TLS 1.3) which have streamlined handshake processes.
Session Tickets for Resumption Using session tickets to store session data, enabling faster reconnections by skipping handshakes.
OCSP Stapling Including the Online Certificate Status Protocol (OCSP) response in the handshake to verify status.
Perfect Forward Secrecy (PFS) Implementing key agreement protocols that ensure a session key cannot be compromised in the future.
HSTS (HTTP Strict Transport Security) Enforcing secure (HTTPS) connections for all users, avoiding the overhead of redirecting from HTTP.

5. Edge Computing and SSL/TLS Offloading

Edge computing is about processing data closer to where it's being generated rather than sending it all the way back to a central data center. When applied to SSL/TLS, this concept is known as "offloading."

SSL/TLS offloading involves handling the encryption and decryption of data at the edge of the network (closer to the user) instead of doing it all on the main server. 

This reduces the workload on the main server and speeds up the process because the data doesn't have to travel as far.