[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Paul Hoffman paul.hoffman at vpnc.org
Tue Jul 2 18:38:54 EDT 2013


On Jul 2, 2013, at 2:59 PM, Ryan Sleevi <ryan+cryptography at sleevi.com> wrote:

> On Tue, July 2, 2013 2:02 pm, Paul Hoffman wrote:
>> On Jul 2, 2013, at 1:52 PM, Ben Laurie <ben at links.org> wrote:
>> 
>>> Alternatively, we stay in this world, clients expire sessions hourly,
>>> and we're all happy.
>> 
>> Is this what most recent browsers do? They expire their TLS sessions after
>> an hour? That would be nice.
>> 
>> --Paul Hoffman
> 
> Firefox and Chrome use a 24-hour period, as recommended - see
> http://mxr.mozilla.org/nss/source/lib/ssl/sslnonce.c#21
> 
> CryptoAPI/SChannel defaults to 10 hours, but I don't know if IE is
> tweaking that at all - see dwSessionLifespan for
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx
> 
> OS X/SecureTransport uses ten minutes as the default - see
> SESSION_CACHE_TTL in
> http://www.opensource.apple.com/source/Security/Security-55179.11/libsecurity_ssl/security_ssl/appleSession.c

Is this what people are seeing when they test these clients against test servers?

--Paul Hoffman


More information about the cryptography mailing list