-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.DR13, 7.1.0.DR16
The default values of maximum-session-cache-size and session-timeout of Elytron *-ssl-context are 0. This is not safe because SSL sessions can be stored indefinitely. Furthermore, such default settings overwrites default settings in Java, which can be unexpected.
There should be reasonable combination of values, or Java default values should be (let) used.
For example, see http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLSessionContextImpl.java
- is cloned by
-
ELY-1009 Default settings of SSL session caching for Elytron *-ssl-context are not safe
- Resolved
- is related to
-
JBEAP-9780 Explain the meaning of and set default values of maximum-session-cache-size and session-timeout
- Closed