On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote: > > I know the SSL session timeout param can be configured by the directive > > "SSLSessionCacheTimeout". Is there any setting or API for the browser or > > client application to configure the SSL session timeout param and override > > the server's one such that each application can configure their timeout > > period of the SSL connection according to their requirement? > > Nope... not that I know of. > Just to clear this up - both the client and the server choose wether they want to reuse sessions. SSLSessionCacheTimeout sets how long the server is willing to reuse a session, but a client may choose not to reuse the session after a shorter time. When a session expires on the server, a client may try to reuse the session, but the server won't allow that. One example of a client using short session times is IE which would expire SSL2 sessions really fast, but allow TLSv1 with strong crypto to live much longer (that experience is a couple of years old, so they've probably changed the policy many times over since then).
vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
