kresd should support TLS session resumption (clients should be able to resume sessions if they ask for them)
kresd currently does not support TLS session resumption. Whether clients ask for session tickets or session IDs, kresd doesn't offer them.
Whether we want to support session tickets or session IDs (or both), if we want multiple concurrent daemons listening on the same port to support resuming each others' sessions, we'd need to have a communications channel between the kresd.
The simplest approach is to ignore the possibility of multiple concurrent daemons being able to resume each others' sessions. In this case, some sessions will not be resumed, and they will fall back to a normal handshake, so it shouldn't be any worse than the status quo.
Sharing state between servers runs the risk of leaking session resumption keys to disk, so i think we should defer sharing session resumption state between servers to a separate issue.
Session tickets are much easier to implement -- see gnutls_session_ticket_key_generate
and gnutls_session_ticket_enable_server
. The only decision we'd need to make is how frequently to rotate the session ticket key. A first-pass implementation could simply schedule a key rotation every two hours.
future/fancier work could create a configuration option to adjust the frequency of key rotation, or a lua directive to rotate session ticket key.