Am 11.02.2019 um 10:18 schrieb Mark Thomas:
The OpenSSL defaults are:
- session caching enabled
- sessions timeout 300 (seconds)
r1686258 changed those to:
- session caching disabled
- session timeout 14400 (4 hours)
This was part of the netty changes.
I think the timeout change is OK but I think the session caching should
be enabled by default.
Thoughts?
Are we talking about server side caching based on session IDs, or about
TLS session tickets (RFC 5077)? Both allow to span TLS sessions over
more than one connection.
Server side caching needs some session save facility, I'm unsure, what
OpenSSL brings with it. In the Apache web server the storage is
implemented as part of the web server, but maybe this is only due to
needing it in a multi-process setup (as shared memory). The requirements
are simpler for tcnative. I don't know about the specifics of the
OpenSSL storage impl, e.g. cleanup mechanism and memory demand.
When using the session ticket extension, the server does not need to
store and manage the sessions, but the caveat is key rotation. The key
shouldn't get used for too long. Again this is from the Apache web
server, I'm unsure, what OpenSSL provides on its own, but I think one
needs to implement a callback.
The more modern approach would be the session ticket extension. One
wouldn't have to store the sessions, but one would have to think about
the key rotation. Whatever way we choose, I tend to prefer enabled
sessions as the default. A good timeout is not easy, because it would
probably depend on the amount of data the keys were used for and we only
have usage time available. The Apache web server documents 300 seconds.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
