I am trying to determine a good length for SSL Session timeouts. It appears
the default cache length is 5 minutues, but if the session is reused within
those five minutes, its timeout is renewed to five minutes, and so on.
What I can't find is whether there is a global maximum number of
times/
>>What I can't find is whether there is a global maximum number of
>On the server side you can set a maximum time with
>SSLSessionCacheTimeout, but different clients have their own
>settings:
Ok so I suppose my question is, is there a difference between Cache timeouts
and session time-to-live?
Please CC: [EMAIL PROTECTED] on all replies since my subscription has
not gone through yet.
I wrote some functions that use the vendor hooks in mod_ssl to store SSL
sessions in a SQL database (so seperate physical web servers can share
session caches)... I have it to the point where if it look
The placement of the ssl_scache_expire() call in ssl_scache_init() is above
the vendor hook for scache_init.
ssl_scache_expire() also has a vendor hook in it for scache_expire. I
believe that the hook for scache_init should be called before the hook for
scache_expire.
My vendor expire() functio
Another thing I've noticed while trying to get my distributed session cache
to work:
OpenSSL maintains an internal cache, and automatically expires sessions when
they have passed their timeout. This is done by comparing the "time" member
of the SSL_SESSION struct against its "timeout" member.
I believe OpenSSL also maintains an internal session cache. If it finds
the session there, it won't even call the mod_ssl retrieve callback.
You can probably configure OpenSSL to not cache, or at least edit the
session cache timeout it has to something like 1 second, in
openssl-ver/ssl/ssl-sess.c
>SSLpassphrasefile is:
>
>#!/bin/sh
>echo (passphrase)
Write a program in C.
First thing to check is to make sure that stdout is not a tty.
There are various things you can do to make it harder and harder for a
hacker to steal your key. But if the hacker has root on your machine,
there's really
I'm trying to get SSL handshaking to work on a remote, accelerated machine
to take some load off of the web servers when they have a lot of incoming
connections.
Since the accelerator card in the remote machine supports OpenSSL, I figured
I would use the OpenSSL routines on that machine to do t
Winged Wolf wrote: (hotmail has a broken "reply to all")
>You're also going to have to munge the information in the keystructure
>itself, so that SSL itself doesn't complain that the IP or port that it's
>communicating with has changed.
Okay, well, I revised what my program was going to be doing
>In our shop, it just runs and I am there the time I have to restart it
>every year
I still think it should be a binary file, executable by root only. Start
apache as root, and have it setuid to 'nobody' or whatever your httpd user
is after reading the pass phrase.
If someone has root on yo
10 matches
Mail list logo