Support TLS session resumption when originating TLS connections #3817
Description
Issue Template
Envoy supports TLS session resumption when serving TLS connections, but not when originating them.
Description:
When Envoy serves TLS requests, it supports TLS session resumption. However, Envoy clients do not appear to support TLS session resumption. (unless I'm misinterpreting what I'm seeing in Wireshark, which is possible! If Envoy actually does support this I'd love to know how to enable it.)
This is causing a problem for us in our production use of Envoy in cases where we have a few thousand Envoy clients connecting to the same TLS Envoy server to do healthchecks. What happens is:
- it's very expensive to do TLS handshakes, so many of the TLS handshakes time out
- once a client does succeed in establishing a TLS connection, that connection will later time out and be closed (because the server is too busy doing other TLS handshakes and is unable to serve healthchecks in a timely fashion)
- when the client tries to reestablish the TLS connection, it needs to start from scratch
- repeat forever. this process continuously uses 100% of the server's CPU doing TLS handshakes and we never get into a state where every client has established a TLS connection to the server
The Envoy servers we're running are m3.larges, and while those aren't huge, it does seem like it should be possible to establish a few thousand TLS connections to an m3.large within a few minutes and do healthchecks at a low rate (1/minute).