Overview of TIM Settings for SSL Ageout.

Document ID : KB000030376
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Explains what the TIM Settings SslSessionAgeOutCount and SslSessionAgeOutSeconds are used for. Also see TEC604891.

 

Issue:

Details on what the SslSessionAgeOutCount=1000 and SslSessionAgeOutSeconds=1800 TIM Settings mean. This includes the impact and recommendations on when to increase these values.

 

Resolution:

SslSessionAgeOutSeconds  is greater than or equal to the  ageout/cleanup of the SSL session cache entries, when they are not accessed/reused after the specified seconds value. This is most important when "SSL session resumption" is enabled on server side. Also, this value should match the server's SSL session cache timeout value to reduce the number of SSL decode failures. Usually, server-side SSL session cache timeout will be configured to one hour. As a result the TIM side also defaults to 1 hour through SslSessionAgeOutSeconds property.

If enabling the SSL session cache, verify the SSL session timeout value configured on the server. Then, configure the same on TIM side using this property.

SSL session resumption greatly improves performance when using SSL to recall information from a previous successful SSL session negotiation. The result bypasses the most computationally intensive parts of the SSL session key handshake/negotiation.

SslSessionAgeOutCount is greater or equal to the ageout old SSL session cache entries at every n insertions. TIM puts every new SSL session entry into the cache after the first access/use. During the insertion process, TIM uses this value to decide if to call the ageoutoldsslsessionentries() operation. Based on  SslSessionAgeOutSeconds  value, TIM ageouts/cleanups the SSL session entries a corresponding number of times from cache.

For example, if the SslSessionAgeOutCount value is set to 100 and if there are 500 SSL session entries added into cache, then TIM calls the ageoutoldsslsessionentries () operation five times.


Also, TIM logs the following message at every nth insertion(i.e. SslSessionAgeOutCount's value):
"Aging out X SSL session(s)"

Ideally, this number should be used relative to the number of concurrent ssl sessions.  But, default value of 100 should be fine and la low value gives more opportunity to TIM to clean up the inactive SSL sessions.