Opened 17 years ago
Closed 17 years ago
#73 closed defect (fixed)
Web interface handles SSL caching incorrectly
| Reported by: | jwalden | Owned by: | quentin |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | web | Version: | |
| Keywords: | Cc: |
Description
Looking at <https://bugzilla.mozilla.org/show_bug.cgi?id=295922> comments 24 onward and going from office discussion, sipb-xen is probably doing SSL session caching "wrongly". Since it's using Apache, I randomly speculate the SSLSessionCache and/or SSLSessionCacheTimeout directives may be responsible for the problem: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncache http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncachetimeout
That suggests the default timeout is 300s, far less than the 86400s or 28800s limit the bug discussion recommends. Mysources claim this was the recommendation of SSL2 but don't know the reason (and note "that short time limit was painful to users and servers alike"), and SSL2's fairly old and has known vulnerabilities (IE7, Firefox 2 don't even enable it bydefault). SSL3 (RFC 2246, section F.1.4) and TLS1 (<http://wp.netscape.com/eng/ssl3/draft302.txt>, same section) specssuggest an upper timeout limit of 24h but don't give a recommended timeout length. Jeff
Change History (2)
comment:1 Changed 17 years ago by quentin
- Owner changed from quenti to quentin
- Status changed from new to accepted
comment:2 Changed 17 years ago by quentin
- Resolution set to fixed
- Status changed from accepted to closed
I've changed the cache timeout to 28800 seconds, or 8 hours. Please reopen the ticket if this doesn't resolve the problem.