How to configure Secure Sockets Layer server and Client cache elements

Article translations Article translations
Article ID: 247658 - View products that this article applies to.
This article was previously published under Q247658
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

On This Page

SUMMARY

When you access the Web server, Secure Sockets Layer (SSL) session IDs and other SSL session information are kept in the Schannel cache. You must know the length of time that the SSL session information is cached so that you can set the appropriate length when you develop load-balancing applications that identify separate users based on their SSL session number. You can modify the length of time that the SSL session information is cached for Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0 with the registry entries that are described in the Modify the SChannel Cache section of this article.

Modify the SChannel Cache

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To modify the length of time that the SSL session information is cached, follow these steps:
  1. Open Registry Editor. To do this, click Start, click Run, type regedt32, and then click OK.
  2. Click to select the following key in the registry:
    [HKEY_LOCAL_MACHINE][System][CurrentControlSet][Control][SecurityProviders][SCHANNEL]
  3. On the Edit menu, click Add Value, type ClientCacheTime in the Value Name box, select REG_DWORD for Data Type, and then click OK.
  4. In the Data box, type a value in milliseconds, click Decimal, and then click OK.
  5. Repeat steps 3 and 4 to add the ServerCacheTime value.
  6. Exit Registry Editor.

Additional Notes


The following are the registry key locations and values:
  • [HKEY_LOCAL_MACHINE]
  • [System]
  • [CurrentControlSet]
  • [Control]
  • [SecurityProviders]
  • [SCHANNEL]
  • ClientCacheTime:hierarchical
    (the time to expire client side cache elements)
  • ServerCacheTime:hierarchical
    (the time to expire server side cache elements)
Values are calibrated in milliseconds (120000 = 2 minutes). The default values are listed in the following table, and keys do not appear in the registry unless they are changed from the default values. A value of 0 turns off the secure connection caching.

The default ServerCacheTime and ClientCacheTime values are different by the version of Schannel.dll.

The CacheTime values are as follows:
Collapse this tableExpand this table
VersionClientCacheTime ServerCacheTime
Windows NT 4.0 SP6a2 minutes2 minutes
Windows NT 4.0 SP6a + Q26536960 minutes5 minutes
Windows 2000 SP12 minutes2 minutes
Windows 2000 SP210 hours10 hours
Windows XP 10 hours10 hours

The registry key locations apply to all versions of the Schannel cache. Keep the server-side interval short for better management of the overall size of the Schannel cache.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
265369 Internet Explorer renegotiates Secure Sockets Layer connection every two minutes

Properties

Article ID: 247658 - Last Review: July 7, 2008 - Revision: 4.1
APPLIES TO
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
Keywords: 
kbhowtomaster KB247658

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com