On 23/01/2021 15:22, John Thoe wrote: > Hi list, > > The session reuse question posted on the mailing list earlier > (https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html) > reminded of a somewhat similar question I have. > > As per the docs, > https://www.openssl.org/docs/man1.0.2/man3/SSL_get_default_timeout.html, > it says the default value is 300 seconds for which a session resuse > will be accepted. The docs say that it is the same for all > protocols. > > However I tried it with my setup where I didn't explicitly set the > timeout and I am getting 7200 seconds as the default value. s_client > output: TLS session ticket lifetime hint: 7200 (seconds). My client > openssl.conf has no setting override (not that it should matter > because this is a server preference). No OpenSSL settings on the > server have been modified as well. Looks to me like the docs are wrong. They probably should say 7200. > > In ssl/ssl_sess.c#L80, the code matches the document: ss->timeout = > 60 * 5 + 4; /* 5 minute timeout by default */ ... (with additional > four seconds?) This gets set during construction and then later overwritten when we actually get a new session via "ssl_get_new_session": /* If the context has a default timeout, use it */ if (s->session_ctx->session_timeout == 0) ss->timeout = SSL_get_default_timeout(s); else ss->timeout = s->session_ctx->session_timeout; In most cases SSL_get_default_timeout() calls tls1_default_timeout() (it can end up somewhere different for certain protocol versions - but all the different variants are the same!): long tls1_default_timeout(void) { /* * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for * http, the cache would over fill */ return (60 * 60 * 2); } 60 * 60 * 2 = 7200 Matt
