From 5f7ec543ec89fd69b078a0aebd345611b1586f52 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Sun, 13 Jul 2014 22:30:44 +0000 Subject: [PATCH] Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610311 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/manual/mod/mod_ssl.xml | 3 ++- modules/ssl/ssl_engine_init.c | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 29e3e6c44a..8342552217 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions + resumed by TLS session resumption (RFC 5077). [Rainer Jung] + *) mod_proxy_ajp: Forward local IP address as a custom request attribute like we already do for the remote port. [Rainer Jung] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 52be8774e4..73641d3c42 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -500,7 +500,8 @@ in the Session Cache

This directive sets the timeout in seconds for the information stored in the -global/inter-process SSL Session Cache and the OpenSSL internal memory cache. +global/inter-process SSL Session Cache, the OpenSSL internal memory cache and +for sessions resumed by TLS session resumption (RFC 5077). It can be set as low as 15 for testing, but should be set to higher values like 300 in real life.

Example diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index df9b64b454..71942da4dc 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1468,6 +1468,10 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, } #endif + SSL_CTX_set_timeout(sc->server->ssl_ctx, + sc->session_cache_timeout == UNSET ? + SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout); + return APR_SUCCESS; } -- 2.40.0