On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote:
> > I know the SSL session timeout param can be configured by the directive
> > "SSLSessionCacheTimeout". Is there any setting or API for the browser or
> > client application to configure the SSL session timeout param and override
> > the server's one such that each application can configure their timeout
> > period of the SSL connection according to their requirement?

> Nope... not that I know of.

Just to clear this up - both the client and the server choose wether
they want to reuse sessions. SSLSessionCacheTimeout sets how long the
server is willing to reuse a session, but a client may choose not to
reuse the session after a shorter time. When a session expires on the
server, a client may try to reuse the session, but the server won't
allow that.
One example of a client using short session times is IE which would
expire SSL2 sessions really fast, but allow TLSv1 with strong crypto to
live much longer (that experience is a couple of years old, so they've
probably changed the policy many times over since then).


Mads Toftum
`Darn it, who spiked my coffee with water?!' - lwall

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org