Setting the SSL Cache Time-out Interval

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

If you expect thousands of users to connect to your site by using SSL, estimate how long you expect SSL sessions to last, and then set the value of the ServerCacheTime entry to a number slightly higher than your estimate. Do not set the value much higher than your estimate, because the resulting time-out interval might cause your server to retain stale data in the cache.

Warning

The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see IIS 6.0 Registry Reference.

Before changing the SSL cache time-out interval, make sure that HTTP Keep-Alives are enabled (HTTP Keep-Alives are enabled by default). SSL sessions do not expire when you use them with HTTP Keep-Alives except when the browser closes the connection.

Important

You must be a member of the Administrators group on the local computer to edit the registry. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to open a command window as an administrator. At a command prompt, type runas /profile /user:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type regedit.exe to open the registry editor.

To configure the ServerCacheTime registry entry

  1. In the registry editor, navigate to the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL.

  2. Right-click the SCHANNEL subkey, point to New, and then click DWORD Value.

  3. In the New Value box, type the following: ServerCacheTime

  4. Right-click the ServerCacheTime entry and then click Modify.

  5. Under Base, click Decimal.

  6. In the Value Data box, type the value (in milliseconds) that you want to assign for the cache time (1 minute = 60,000 milliseconds), and then click OK. See Table 6.28 for commonly used cache times converted to milliseconds.

Table 6.28 Calculating ServerCacheTime Values for Secure Session Caching

Desired Cache Time (1 minute = 60,000 milliseconds) ServerCacheTime Value (in Milliseconds)

No secure session caching

0 (turns off session caching)

2 minutes (default setting for the Microsoft® Windows NT® version 4.0 operating system)

120000

5 minutes (default setting for the Microsoft® Windows®  2000 operating system)

300000

10 hours (default setting for Windows Server 2003, Windows 2000 with Service Pack 2 [SP2] or later, and Windows XP)

36000000

For more information about configuring the SSL cache time-out interval, see Configuring ServerCacheTime for SSL Sessions.