Getting SSL_SESSION remaining lifetime

Viktor Dukhovni openssl-users at
Thu Sep 16 03:18:23 UTC 2021

On Thu, Sep 16, 2021 at 08:11:44AM +0530, Jaya Muthiah wrote:

> I am trying to get the remaining lifetime of the ticket so that server can
> decide to renew ticket or not

In Postfix, I rotate ticket keys every hour, and sessions are valid for
two hours.  For the first hour when they were issued by the current
ticket the ticket is accepted without forcing a new ticket to be
generated.  Durign the second hour when accepting tickets signed by
the previous key, a fresh ticket is generated.

I don't rely on OpenSSL to tell me the ticket age, it is implied by
the key id.

Since ticket keys should be rotated anyway, something like that might
also work for you.

What I haven't yet built is a mechanism to rotate keys consistely across
multiple machines in a load-balancer pool.  That would be generally


More information about the openssl-users mailing list