[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Ryan Sleevi ryan+cryptography at sleevi.com
Tue Jul 2 17:59:33 EDT 2013

On Tue, July 2, 2013 2:02 pm, Paul Hoffman wrote:
>  On Jul 2, 2013, at 1:52 PM, Ben Laurie <ben at links.org> wrote:
> > Alternatively, we stay in this world, clients expire sessions hourly,
> > and we're all happy.
>  Is this what most recent browsers do? They expire their TLS sessions after
>  an hour? That would be nice.
>  --Paul Hoffman

Firefox and Chrome use a 24-hour period, as recommended - see

CryptoAPI/SChannel defaults to 10 hours, but I don't know if IE is
tweaking that at all - see dwSessionLifespan for

OS X/SecureTransport uses ten minutes as the default - see

More information about the cryptography mailing list