hello, I thank you for your answers, I read in rfc2246 that the lifetime for session-ID is 24 houres; is there difference between this time and the time that you say(300 sec)?
Victor Duchovni <[EMAIL PROTECTED]> wrote:
Victor Duchovni <[EMAIL PROTECTED]> wrote:
On Wed, Nov 02, 2005 at 09:17:52PM -0800, imana sakki wrote:
> I want to know that can I see the content of session-ID cash?(internal cash)
> is it possible for an attacker that sniff the master-key from this cash?
> how secure is this cash?
There is no global "master key", only a per-session master key that
enables session restart without expensive public key operations. The
internal cache is stored in process memory, if that is not safe enough,
the game is over. If you store the sessions out of process, it is up
to you to set up appropriately protected storage. For Postfix the
cache file is only readable by the "postfix" user id, the cached
sessions are typically expired by both sides in 300s (HTTP) to 3600s
(SMTP).
$ ls -l /etc/postfix/smtp_scache.db
-rw------- 1 root bin 8192 Nov 3 00:40 /etc/postfix/smtp_scache.db
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Yahoo! FareChase - Search multiple travel sites in one click.
