Nicolas, I have seen this problem many times. The MS client renegotiates every 2 minutes by default. There is a registry setting in windows that tells the browser how often to force a renegotiation in the SSL session, but off the top of my head I can't remember it. I will dig to try to find it. This solution entails that you are able to influence all users of the system to impose a registry change. If you can't do this, then the solution is void and you must find another way to load balance.
Hope this helps. George > Nicolas Laigle wrote: > > Hi everybody, > > I'm not sure if this is the right place to post this message, if not > then my apologies. > > We are currently using OpenSSL 0.9.6.b engine version with Apache > 1.3.19 for commercial purposes and we are facing a problem related to > load balancing and SSL SESSIONID. > > We are using a level 7 switch to load balance over multiple > reverse-proxy for our web front end. The level 7 switch has the > capability to ensure the session affinity using either the SSL > SESSIONID or the source IP address. > > We would like to avoid using the source IP address because this too > dependent on the client infrastructure (proxy,...). > > Currently, we force SSL V3 or TLS 1.0 SSL connection types. > > We first intended to use the SSL SESSION ID but we quickly observed > that this ID was changing during the client session. This is true with > client browsers such as MSIE 5.x and 6.X. > > My questions are: > > 1) Is the change of SSL SESSIONID a normal behavior during SSL > re-negotiation ? > > 2) Is there any OpenSSL configuration that could influence the > re-negotiation of the SSL SESSIONID. > > 3) Is the SSL re-negotiation dependent on the client browser type or > version ? > > Hope these questions won't bother you too much. Thanks for your help. > > Best regards. > ---------------------------------------------------------------------- > > Nicolas Laigle > [Image] > 148, rue Anatole France > 92688 Levallois-Perret > (+33 (0)1 55 63 14 65 > Fax +33 (0)1 55 63 55 31 > + [EMAIL PROTECTED] > http://www.fr.adp.com > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
