Traditionally mod_ssl allows reuse of SSL sessions by its SSL session cache on the server side. One can control via SSLSessionCacheTimeout how long a session is kept in the cache (if the cache is big enough).
Now since a long time most clients do no longer rely on the server caching the sessions. Instead they use TLS session resumption (RFC 5077). Here the server puts the session info in a session ticket, which gets saved by the client and on reuse presented to the server, which validates the ticket and retrieves the session info from the ticket. Currently mod_ssl does not provide a way to control the time how long such a ticket may be used by the client. As far as I can see, there is no specific API in OpenSSL for that, but there is a general API allowing to set a session timeout that is checked whenever a session is reconstructed. The timeout can be inherited from the SSL_CTX so it can be easily set in mod_ssl on a configurable per VHost base. Are there any reservations against using that to set a configurable general SSL session timeout? We could reuse the SSLSessionCacheTimeout directive and also apply it as the timeout to every client to web server session. That way we would not need to add yet another config directive and SSLSessionCacheTimeout would kind of also apply to the client side caching. Or we could introduce a new SSLSessionTimeout. If so should there be any inheritance of values between SSLSessionCacheTimeout and SSLSessionTimeout if only one is set? I would prefer to keep SSLSessionCacheTimeout the only directive and use that also for the default timeout of any created session even if not cached server side. Second best IMHO would be a separate SSLSessionTimeout, which would be implemented totally independent of SSLSessionCacheTimeout. WDYT? Regards, Rainer
