Am 11.02.2019 um 10:18 schrieb Mark Thomas:
The OpenSSL defaults are:
- session caching enabled
- sessions timeout 300 (seconds)

r1686258 changed those to:
- session caching disabled
- session timeout 14400 (4 hours)

This was part of the netty changes.

I think the timeout change is OK but I think the session caching should
be enabled by default.

Thoughts?
Are we talking about server side caching based on session IDs, or about 
TLS session tickets (RFC 5077)? Both allow to span TLS sessions over 
more than one connection.
Server side caching needs some session save facility, I'm unsure, what 
OpenSSL brings with it. In the Apache web server the storage is 
implemented as part of the web server, but maybe this is only due to 
needing it in a multi-process setup (as shared memory). The requirements 
are simpler for tcnative. I don't know about the specifics of the 
OpenSSL storage impl, e.g. cleanup mechanism and memory demand.
When using the session ticket extension, the server does not need to 
store and manage the sessions, but the caveat is key rotation. The key 
shouldn't get used for too long. Again this is from the Apache web 
server, I'm unsure, what OpenSSL provides on its own, but I think one 
needs to implement a callback.
The more modern approach would be the session ticket extension. One 
wouldn't have to store the sessions, but one would have to think about 
the key rotation. Whatever way we choose, I tend to prefer enabled 
sessions as the default. A good timeout is not easy, because it would 
probably depend on the amount of data the keys were used for and we only 
have usage time available. The Apache web server documents 300 seconds.
Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to