The current implementation of TLS in node prevents resumption of TLS sessions via TLS session ticket extension when the application is running in a cluster.

The reason is that SSL_CTX_new initializes TLS session ticket algorithm with random values. The values are obviously different in every worker and therefore workers do not accept tickets from their neighbours. In OpenSSL, from ssl/ssl_lib.c:

/* Setup RFC4507 ticket keys */
if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
  || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
  || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
  ret->options |= SSL_OP_NO_TICKET;

To fix the issue, all workers must initialize openssl with the same key.

unsigned char keys[48];

/* TODO obtain a sequence of random 
   48 bytes shared by all workers */

/* Tell OpenSSL to use those keys */
SSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys));

A simple solution comes to my mind: we could generate the keys in the master process and distribute it to all workers. Either on cluster.fork or on demand via messages.

See this article [1] for more information and possible caveats.

//cc @indutny

[1] http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html