Joe Orton wrote:
The suggested timeout time from the spec is 24 hours (1 day) for SSL3 and TLS. It's not just client auth that's the issue, there are significant resource costs on the server for each full handshake. I'm very surprised that apache has such short timeout times.On Tue, Mar 17, 2009 at 02:39:56PM +0200, Eddy Nigg wrote:On 03/17/2009 01:55 PM, Ian G:[4] There is some discussion about session caching, and it may be true that there are server problems to be sorted out. But as far as I can see, most of the sites that I deal with have this issue, so it may bounce back to being a client-side issue regardless of what we say.That's because Apache's default cache timeout is set to 30 seconds or so. And might be buggy in addition to that.The default mod_ssl configuration uses a 300 second timeout, not 30. There's a plea being made here that mod_ssl should cache sessions by default for what, hours? Days?
It seems like a poor trade-off to require a larger memory footprint of all the SSL servers in the world, rather than improve Firefox to be a bit smarter about caching/allowing-to-be-cached the association between a client cert and a given URL prefix or whatever.Cert selection for Firefox does need to be improved. On the other hand, I found the larger memory footprint argument someone confusing. At the cost of about 20 bytes per client you would rather chew up CPU and network resources? That seems like a poor tradeoff to me.
bob
Regards, Joe
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
