Caching TLS handshake when using URLSession

Hello guys,

I want to know if there is any API which could configure my URLSession object such that the TLS handshake is cached between two requests for a long period of time. From my observations so far, the TLS handshake is performed again every 30 seconds if no request was made in between.

Any help or hint is welcome.

Thank you.

As far as I know there's nothing you can do to URLSession to affect this behavior. All of the low level connection details, like TLS, are abstracted away. Even if you implement the urlSession(_:task:didReceive:completionHandler:) auth challenge delegate, you only get control over certificate validation, not the underlying TLS session.

Instead, these sort of settings are usually controlled from the server side, as the server can be configured to keep connections and TLS sessions alive for longer periods of time. Additionally, using TLS 1.3 and / or HTTP/2 and HTTP/3 can help you take advantage of TLS session resumption and faster handshakes for known clients.

1 Like

Hey @Jon_Shier, thank you for your answer.

On the last part of your answer, do you think setting tlsMinimumSupportedProtocolVersion to 1.3 on URLSessionConfiguration should be enough to only use TLS 1.3 . Which is the minimum supported protocol version by default anyway?

Ok so after some more investigation I found this API: sec_protocol_options_set_tls_resumption_enabled here: Apple Developer Documentation.

Which I (naively probably) use it like this:

    let options = NWProtocolTLS.Options()
    sec_protocol_options_set_tls_resumption_enabled(options.securityProtocolOptions, true)

however I am not quite sure how does this fit with the URLSession API. There is no explicit way to pass the options variable to some URLSessionConfiguration object. Do the changes apply to any URLSession request in a global fashion?

I've seen some ways in which I could pass the options to a NWConnection. Is the Network framework an alternative to URLSession? The documentation states clearly that URLSession is built upon it but does this imply that it globally inherits settings on it? (Such as the one above)

The default is undocumented, but App Transport Security requires a 1.2 minimum if I remember correctly.

Yeah, that API doesn't affect URLSession behavior, it's only for the lower level Network framework APIs. URLSession will use session resumption if the server supports it, and it's not something the client can force on anyway. As far as I know there's nothing you can do client side to guarantee this behavior.

@Jon_Shier Thanks, clearer now.

I had no idea about this, but its good to know now anyways.