Re: Default value of a session resumption timeout (300 seconds vs 7200 seconds)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you both for bringing this to my attention, your points are invaluable.

If this is something which gets set from server on client side. can client override this?. Can i change this to something less and try?. Has anyone tried?.

Whats the option in openssl.conf or some other place?.

-thanks
harish


On Mon, Jan 25, 2021 at 11:08 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:


On 23/01/2021 15:22, John Thoe wrote:
> Hi list,
>
> The session reuse question posted on the mailing list earlier
> (https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html)
> reminded of a somewhat similar question I have.
>
> As per the docs,
> https://www.openssl.org/docs/man1.0.2/man3/SSL_get_default_timeout.html,
> it says the default value is 300 seconds for which a session resuse
> will be accepted. The docs say that it is the same for all
> protocols.
>
> However I tried it with my setup where I didn't explicitly set the
> timeout and I am getting 7200 seconds as the default value. s_client
> output: TLS session ticket lifetime hint: 7200 (seconds). My client
> openssl.conf has no setting override (not that it should matter
> because this is a server preference). No OpenSSL settings on the
> server have been modified as well.

Looks to me like the docs are wrong. They probably should say 7200.


>
> In ssl/ssl_sess.c#L80, the code matches the document: ss->timeout =
> 60 * 5 + 4;   /* 5 minute timeout by default */ ... (with additional
> four seconds?)


This gets set during construction and then later overwritten when we
actually get a new session via "ssl_get_new_session":

    /* If the context has a default timeout, use it */
    if (s->session_ctx->session_timeout == 0)
        ss->timeout = SSL_get_default_timeout(s);
    else
        ss->timeout = s->session_ctx->session_timeout;

In most cases SSL_get_default_timeout() calls tls1_default_timeout() (it
can end up somewhere different for certain protocol versions - but all
the different variants are the same!):

long tls1_default_timeout(void)
{
    /*
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}

60 * 60 * 2 = 7200


Matt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux