Opened 17 years ago

Closed 17 years ago

#73 closed defect (fixed)

Web interface handles SSL caching incorrectly

Reported by: jwalden Owned by: quentin
Priority: major Milestone:
Component: web Version:
Keywords: Cc:

Description

Looking at <https://bugzilla.mozilla.org/show_bug.cgi?id=295922> comments 24 onward and going from office discussion, sipb-xen is probably doing SSL session caching "wrongly". Since it's using Apache, I randomly speculate the SSLSessionCache and/or SSLSessionCacheTimeout directives may be responsible for the problem: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncache http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncachetimeout

That suggests the default timeout is 300s, far less than the 86400s or 28800s limit the bug discussion recommends. Mysources claim this was the recommendation of SSL2 but don't know the reason (and note "that short time limit was painful to users and servers alike"), and SSL2's fairly old and has known vulnerabilities (IE7, Firefox 2 don't even enable it bydefault). SSL3 (RFC 2246, section F.1.4) and TLS1 (<http://wp.netscape.com/eng/ssl3/draft302.txt>, same section) specssuggest an upper timeout limit of 24h but don't give a recommended timeout length. Jeff

Change History (2)

comment:1 Changed 17 years ago by quentin

  • Owner changed from quenti to quentin
  • Status changed from new to accepted

comment:2 Changed 17 years ago by quentin

  • Resolution set to fixed
  • Status changed from accepted to closed

I've changed the cache timeout to 28800 seconds, or 8 hours. Please reopen the ticket if this doesn't resolve the problem.

Note: See TracTickets for help on using tickets.