By default, any SSL handshake negotiated in Jetty by trapperkeeper-webservices-jetty9 results in Jetty caching the SSL session and returning an SSL session id to the client for the client to use in resuming the session on a later connection. In some scenarios it may be desirable to not have the server cache SSL sessions, e.g., to protect the server from an SSL renegotation attack until a proper remediation path can be found or when multiple servers having different certificates are hidden behind a load balanced virtual ip address and session reuse is not desirable / practical. See
SERVER-207 for some discussion on the issues session caching presents around load-balanced virtual ip addresses.
In order to disable session caching, a new "caching" option could be exposed in the trapperkeeper-webservices-jetty9 configuration. For compatibility, it would probably be best to allow SSL sessions to be cached by default so that clients can take advantage of the performance benefits of renegotiation.
I believe the lower-level work in Jetty would just involve calling the setSessionCachingEnabled method on the SslContextFactory with a value of true or false, as desired. The setup with the factory is done from ssl-context-factory in jetty9_core.clj.