On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote:
I know the SSL session timeout param can be configured by the directive
SSLSessionCacheTimeout. Is there any setting or API for the browser or
client application to configure the SSL session timeout param and override
the server's one such that each application can configure their timeout
period of the SSL connection according to their requirement?
Nope... not that I know of.
Just to clear this up - both the client and the server choose wether
they want to reuse sessions. SSLSessionCacheTimeout sets how long the
server is willing to reuse a session, but a client may choose not to
reuse the session after a shorter time. When a session expires on the
server, a client may try to reuse the session, but the server won't
allow that.
One example of a client using short session times is IE which would
expire SSL2 sessions really fast, but allow TLSv1 with strong crypto to
live much longer (that experience is a couple of years old, so they've
probably changed the policy many times over since then).
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
