Re: SSLSessionCacheTimeout

Lutz Jaenicke Sat, 08 Sep 2001 01:33:19 -0700
On Fri, Sep 07, 2001 at 06:26:18PM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) 
wrote:
>   Thanks for that feedback.. When I meant "reset the timeout", I certainly
> did not mean to do it for ever.. There has to be a limit - either the number
> of times the reset is done or the time limit - or both. The timeout that I
> was thinking of is some thing like 
> (10 * SSLSessionCacheTimeOut > global_timeout < 1500)

You can do this at an application specific basis. It does not hurt, as long
as you make sure that sessions will expire after some reasonable amount of
time. I cited from RFC 2246. ForPostfix/TLS I have decided for default timeout
of 1 hour. Timeout values in the range of 15-30 seconds don't make any
sense to me. If you load a page with a lot of subobjects, the session would
even expire before the last items are loaded.

> But if the mod_ssl gurus agree to have a bigger timeout, it's fine with me.
> 'else, I can try including the logic in Apache 2.0.

The downside of your approach is, that you have to add additional logic to
your code, so that after each SSL_accept() with SSL_session_reused()=1
you have to adjust the timeout value of the session, which will be a pain
in the a* to do when using external session caching. Please be aware,
that a session that is in the backing store does not receive the timeout
update. It is only updated in the internal session cache (for the process
using the internal cache). Due to this problem I also don't see a simple
idea how to solve this problem by an extension to OpenSSL (it would not
be difficult to add a second timeout value and to update sessions that
are reused automatically), but keeping this synchronized with the external
session cache would complicate things significantly.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: SSLSessionCacheTimeout

Reply via email to
