How to enable TLS session caching in Apache

TLS session caching reduces repeated full TLS handshakes, cutting CPU use and connection latency on busy HTTPS sites. For clients that open many short-lived connections (browsers, proxies, health checks), forcing every connection to renegotiate from scratch is the web-server equivalent of demanding a full passport check at every doorway.

When a client resumes a previous session, it sends a session identifier (or resumption token) and negotiates an abbreviated handshake. In Apache, mod_ssl controls server-side session caching via SSLSessionCache, with the shmcb backend typically used for fast, shared-memory storage across worker processes on the same host.

Commands and paths below match the Ubuntu or Debian apache2 layout (/etc/apache2, apache2ctl, a2enconf, systemd). In multi-node load balancers, the cache is per node, so cross-node resumption needs sticky sessions or TLS session tickets configured consistently; always run a config test before reloading, because an invalid cache backend or path can prevent Apache from starting.

Steps to enable TLS session caching in Apache:

Confirm that ssl_module and socache_shmcb_module are loaded.
```
$ sudo apache2ctl -M | grep -E 'ssl_module|socache_shmcb_module'
 socache_shmcb_module (shared)
 ssl_module (shared)
```
If socache_shmcb_module is missing, enable it with a2enmod socache_shmcb and restart apache2 before continuing.
Create /etc/apache2/conf-available/tls-session-cache.conf with the following content.
```
<IfModule ssl_module>
    SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout 300
</IfModule>
```
The number in parentheses is the cache size in bytes, and increasing it reduces evictions on high-churn sites.

An invalid cache backend or an unwritable cache path can prevent apache2 from starting, which makes HTTPS unavailable until the config is fixed.

Enable the new configuration snippet.

$ sudo a2enconf tls-session-cache
Enabling conf tls-session-cache.
To activate the new configuration, you need to run:
  systemctl reload apache2

Validate the Apache configuration syntax.
```
$ sudo apache2ctl -t
Syntax OK
```
Related: How to test your Apache configuration
Reload Apache to apply the change.
```
$ sudo systemctl reload apache2
```
Related: How to manage the Apache web server service

Check that Apache is running cleanly after the reload.

$ sudo systemctl status apache2 --no-pager -l --lines=10
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 20:11:10 +08; 29s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 8458 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
    Process: 10202 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
   Main PID: 8461 (apache2)
##### snipped #####

Confirm the configured SSLSessionCache directives are active in the loaded SSL configuration.
```
$ sudo grep -n 'SSLSessionCache' /etc/apache2/conf-enabled/tls-session-cache.conf
2:    SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
3:    SSLSessionCacheTimeout 300
```
shmcb uses shared memory; the backing store is not always visible as a file on every build.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.