Wildcard SSL negotiation across sub-domains

Question

I'm wanting to make a site as fast as possible and as part of that will be using multiple sub-domains to essentially grow the number of concurrent connections in a browser.

My question is this: how can I avoid having to do SSL negotiation for each sub-domain? If I use a wildcard certificate (or SAN) can/will the SSL session established with the primary www. domain be reused for the sub-domains to avoid the added latency of renegotiating the SSL connection?

The entire site will be behind SSL and it will have 2-3 additional sub-domains like media., static. etc. Using NGINX.

Even so there are other reasons behind using different sub-domains so I am still interested in the answer. — winston, Oct 31 '16 at 20:40

score 0 · Answer 1 · answered Nov 01 '16 at 21:27

I don't think you can avoid taking the hit of SSL negotiation for each sub-domain.

The HTTPS connection must be established individually for each sub-domain. For all the client knows, those different sub-domains could be hosted anywhere, on different servers, in different countries. While the client technically could determine all sub-domains lead to the same IP address, it cannot and should not assume all sub-domains are being hosted by the same server process.

Furthermore, the connections will be coming in at different times, and the HTTPS key exchange process isn't designed to coordinate the kind of sharing of information between encrypted streams that you're hoping for.

Wildcard SSL negotiation across sub-domains

1 Answers1