>>What I can't find is whether there is a global maximum number of
>On the server side you can set a maximum time with
>SSLSessionCacheTimeout, but different clients have their own
>settings:
Ok so I suppose my question is, is there a difference between Cache timeouts
and session time-to-live? I was under the impression that when a session
gets reused, the server looks in its cache, and if it finds the session,
renews it so that it now has another 5 minutes (or whatever the timeout
value in the config file happens to be). Under this scheme, users could
indefinitely use the same session as long as they made an SSL request every
so often.
>AFAIK not without hacking the mod_ssl code - is there any specific
>reason that you want to do this?
Hacking the mod_ssl code is not out of the question, but the reason for my
question is, on a high availability system, the client/server handshake
becomes expensive and hard to scale, and it is good to be able to find ways
to keep this from happening when possible... hence reusing sessions from the
session cache. However, when using 40-bit encryption, these keys could
probably be cracked in about an hour using today's average technology, so
setting a maximum session time-to-live is important as well, to keep an
active user from using the same session for hours.
J
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
