id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
73	Web interface handles SSL caching incorrectly	jwalden	quentin	"Looking at <https://bugzilla.mozilla.org/show_bug.cgi?id=295922> comments 24 onward and going from office discussion,
sipb-xen is probably doing SSL session caching ""wrongly"".  Since it's using Apache, I randomly speculate the
SSLSessionCache and/or SSLSessionCacheTimeout directives may be responsible for the problem:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncache
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncachetimeout

That suggests the default timeout is 300s, far less than the 86400s or 28800s limit the bug discussion recommends.  Mysources claim this was the recommendation of SSL2 but don't know the reason (and note ""that short time limit was painful to
users and servers alike""), and SSL2's fairly old and has known vulnerabilities (IE7, Firefox 2 don't even enable it bydefault).  SSL3 (RFC 2246, section F.1.4) and TLS1 (<http://wp.netscape.com/eng/ssl3/draft302.txt>, same section) specssuggest an upper timeout limit of 24h but don't give a recommended timeout length.
Jeff"	defect	closed	major		web		fixed