Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Changing the SSL session cache timeout

346 views
Skip to first unread message

Anders Gustavsson

unread,
Aug 31, 1999, 3:00:00 AM8/31/99
to
I'm running iis4 with client authentication turned on and a smart card
enabled client. Whenever an SSL negotiation is initiated the user has to
enter a PIN code to be able to use the private key on the card for RSA
operations. The lifespan of the SSL session is (I think) determined by the
setting of the SSL session cache timeout and when the session times out a
new SSL negotiation is initiated (and a new PIN entry dialog is displayed).
I have tried this with two different IIS4 installations and the timeouts are
set to different default values, 2 and 8 minutes, so it seems to be possible
to change the setting and I'd like to set this to a higher value. I have
checked the IIS4 documentation, resource kit and knowledege base articles
and talked to Microsoft but I haven't been able to find out how to change
this setting.

When running the smart card enabled client with an Apache server the timeout
can be set by changing the SSLSessionCacheTimeout setting. Any idea what the
corresponding setting is called for IIS?

Thanks,
Anders


X

unread,
Sep 2, 1999, 3:00:00 AM9/2/99
to
I'm having the same problem with a timeout of 2 minutes. Any luck fixing it
yet?

Charles

Anders Gustavsson <anders.g...@id2tech.com> wrote in message
news:OG8eA558#GA.263@cppssbbsa04...

Anders Gustavsson

unread,
Sep 2, 1999, 3:00:00 AM9/2/99
to
No, we're trying to get some help from Microsoft but no news yet.

/Anders

X <X...@aol.com> wrote in message
news:Vkkz3.125$y2....@paloalto-snr1.gtei.net...

Charles Radcliffe

unread,
Sep 2, 1999, 3:00:00 AM9/2/99
to
I have also opened a ticket with Microsoft. They have been working on it
for a couple of days now with no luck, not a good sign. It's interesting
that one of your machines times out after 8 minutes instead of 2. Anything
special about that 8 minute machine?

If you find the answer post it here, I will do the same.

Charles

Anders Gustavsson <anders.g...@id2tech.com> wrote in message

news:uxIR5ZT9#GA.226@cppssbbsa05...

Charles Radcliffe

unread,
Sep 2, 1999, 3:00:00 AM9/2/99
to
Go to the following registry location and create these entries. Then, do a
"net
stop iisadmin /y" then a "net start w3svc".

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ClientCache
Time and ServerCacheTime

They are both of type REG_DWORD and specify the timeout values for schannel
client side and server side respectively, in unit of milliseconds. To make
a setting of 2 hours, make it look like this:

ClientCacheTime=7200000
ServerCacheTime=7200000

60,000 milliseconds in 1 minute

It seems to be working for me,
Charles


Charles Radcliffe <cradc...@hotmail.com> wrote in message
news:ygwz3.5$V16...@paloalto-snr1.gtei.net...

0 new messages