Share via

Https Server using .Net

S Abijith 496 Reputation points
2025-11-27T09:27:46.6566667+00:00

Hello All,

We are planning to develop an Https Server using .Net 8.0. The main criteria for us are the below:

  1. The https server must disable session resumption.
  2. Since session resumption is disabled, it doesnt mean a full handshake is performed each time.

Can anyone please let us know if there is a way to achieve this.

Thank you in advance!!

Developer technologies | C#
Developer technologies | C#

An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.

0 comments
Answer accepted by question author
  1. can kucukgultekin 330 Reputation points
    2025-11-28T16:27:52.3233333+00:00

    Hey S Abijith,

    The core of what youre asking for runs into a protocol-level limitation so its important to be very clear about what TLS can and cannot do honestly.

    Your two requirements were: the HTTPS server must disable session resumption, and even with session resumption disabled it should not perform a full handshake each time. Those two are essentially incompatible.

    In TLS the only standard way to avoid paying the full handshake cost on every new TCP connection is session resumption (session IDs, session tickets, TLS 1.3 PSK etc). If you turn off all resumption mechanisms every new connection has to do a full handshake, theres no "third mode" where resumption is off but the handshake is still abbreviated.

    TLS 1.3 does make full handshakes faster (fewer round-trips than TLS 1.2) but its still a full handshake, its just a more efficient protocol.

    On the .NET 8 side heres the situation: ASP.NET Core and Kestrel dont implement TLS themselves, they use the OS TLS stack (SChannel on Windows, OpenSSL on Linux). With SslServerAuthenticationOptions you can configure protocol versions, cipher suites, certificates etc. However in .NET 8 there is no documented server-side setting like "disable TLS resumption for this Kestrel endpoint".

    Theres an SslServerAuthenticationOptions.AllowTlsResume property but its for newer runtimes (.NET 9+), it doesnt exist in .NET 8 so you cant rely on it there.

    If you really must disable session resumption for policy or compliance reasons the realistic options are:

    Terminate TLS on a reverse proxy or load balancer. Put nginx, HAProxy, Apache, F5, Cloudflare etc in front of your .NET app and configure TLS there. Those components give you explicit controls:

    nginx

    ssl_session_tickets off;
ssl_session_cache off;

    That effectively disables session resumption at the edge. Your .NET 8 app then talks plain HTTP behind the proxy.

    Use OS-level TLS settings (Windows/SChannel): On Windows SChannel allows you to restrict or disable the server session cache via registry settings such as MaximumCacheSize. Setting this to 0 disables session caching and thus resumption, but this is global for all SChannel-using services on the machine, not something .NET controls per application.

    On Linux/OpenSSL resumption is typically controlled by OpenSSL options (session tickets, server cache) but those options are not exposed directly by .NET, youd need to manage TLS at a proxy or native layer instead.

    A more realistic framing would be: If your main concern is security not passing a specific "no resumption" checkbox, use TLS 1.3, disable 0-RTT if youre worried about replay, keep reasonable ticket lifetimes. TLS 1.3 still gives you perfect forward secrecy even when using resumption.

    If you truly must disable resumption for compliance then accept that every new TCP connection will do a full handshake and you probably need to manage TLS at a reverse proxy or OS level not inside .NET 8/Kestrel itself.

    Shortly, with .NET 8 you cant really get "session resumption disabled but no full TLS handshakes", the TLS spec doesnt support that combination and .NET 8 doesnt expose a fine-grained server-side resumption toggle anyway. You either terminate TLS somewhere you fully control it or you reconsider requirement #2.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Susmitha T (INFOSYS LIMITED) 2,690 Reputation points Microsoft External Staff
    2025-11-28T09:50:37.3366667+00:00

    Thank you for reaching out!

    You're looking to create an HTTPS server in .NET 8.0 that disables session resumption while not requiring a full handshake for each connection. Here’s how you can approach this:

    1. Disabling Session Resumption: To disable TLS session resumption, you may need to configure your TLS settings explicitly. While there isn't direct documentation for disabling session resumption in .NET 8.0, typically this involves setting specific parameters in your TLS/SSL configuration. You may need to explore the SslStream class features in .NET which allows you to customize the SSL handshake process.
    2. Avoiding Full Handshake: Since you want to avoid full handshakes, ensure you are managing your SSL context appropriately when you initialize and handle your HTTPS server. The SslStream class in .NET provides methods for managing SSL connections efficiently and could help you maintain the session without requiring a fresh handshake every time.
    3. Implementing the Server: You can use the HttpListener class to create a simple HTTPS server or Kestrel if you are building an ASP.NET Core application. Configure the appropriate SSL certificate and ensure your HTTP server's logic handles requests as desired.

    Reference Links:

    Let me know if you need any further help with this. I will be happy to assist.
    If you find this helpful, Kindly mark the provided solution as "Accept Answer", so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.