Default value of a session resumption timeout (300 seconds vs 7200 seconds)

Wed Jan 27 05:59:40 UTC 2021

Even if session life time is proposed by server.. if client has a
configuration local configuration shouldn't we pick the minimum of what
server is configuring and what client is configured with?.

If we don't have this option in openssl should we have this change.. any
one interested to work along with me?.

-thanks
harish

On Tue, Jan 26, 2021 at 11:43 PM Harish Kulkarni <harishvk27 at gmail.com>
wrote:

> Thank you both for bringing this to my attention, your points are
> invaluable.
>
> If this is something which gets set from server on client side. can client
> override this?. Can i change this to something less and try?. Has anyone
> tried?.
>
> Whats the option in openssl.conf or some other place?.
>
> -thanks
> harish
>
>
> On Mon, Jan 25, 2021 at 11:08 PM Matt Caswell <matt at openssl.org> wrote:
>
>>
>>
>> On 23/01/2021 15:22, John Thoe wrote:
>> > Hi list,
>> >
>> > The session reuse question posted on the mailing list earlier
>> > (
>> https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html)
>> > reminded of a somewhat similar question I have.
>> >
>> > As per the docs,
>> > https://www.openssl.org/docs/man1.0.2/man3/SSL_get_default_timeout.html
>> ,
>> > it says the default value is 300 seconds for which a session resuse
>> > will be accepted. The docs say that it is the same for all
>> > protocols.
>> >
>> > However I tried it with my setup where I didn't explicitly set the
>> > timeout and I am getting 7200 seconds as the default value. s_client
>> > output: TLS session ticket lifetime hint: 7200 (seconds). My client
>> > openssl.conf has no setting override (not that it should matter
>> > because this is a server preference). No OpenSSL settings on the
>> > server have been modified as well.
>>
>> Looks to me like the docs are wrong. They probably should say 7200.
>>
>>
>> >
>> > In ssl/ssl_sess.c#L80, the code matches the document: ss->timeout =
>> > 60 * 5 + 4;   /* 5 minute timeout by default */ ... (with additional
>> > four seconds?)
>>
>>
>> This gets set during construction and then later overwritten when we
>> actually get a new session via "ssl_get_new_session":
>>
>>     /* If the context has a default timeout, use it */
>>     if (s->session_ctx->session_timeout == 0)
>>         ss->timeout = SSL_get_default_timeout(s);
>>     else
>>         ss->timeout = s->session_ctx->session_timeout;
>>
>> In most cases SSL_get_default_timeout() calls tls1_default_timeout() (it
>> can end up somewhere different for certain protocol versions - but all
>> the different variants are the same!):
>>
>> long tls1_default_timeout(void)
>> {
>>     /*
>>      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long
>> for
>>      * http, the cache would over fill
>>      */
>>     return (60 * 60 * 2);
>> }
>>
>> 60 * 60 * 2 = 7200
>>
>>
>> Matt
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210127/31aa2ee1/attachment-0001.html>