Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 937687 - Last Review: July 11, 2007 - Revision: 1.0
Web clients cannot resume SSL sessions or TLS sessions with IIS 6.0
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986Â
(http://kbalertz.com/Feedback.aspx?kbNumber=256986/
)
Description of the Microsoft Windows registry
Web clients intermittently cannot resume Secure Sockets Layer/Transport Layer Security (SSL/TLS) sessions with Internet Information Services (IIS) 6.0. When the failure occurs, clients must renegotiate the SSL/TLS session, and a new session ID is assigned.
This issue primarily affects Web server farms if the following conditions are true:
- The Web server farms are behind SSL load balancers.
- The SSL load balancers use the SSL/TLS session ID to route traffic to specific servers.
Single Web server scenarios experience minimal effect.
This problem occurs because IIS 6.0 purges SSL/TLS session IDs from the session ID cache table.
IIS 6.0 maintains objects in memory to track each incoming Web connection. After five minutes of idle time, these objects are destroyed to reclaim resources. During this process, IIS purges the SSL/TLS session ID that the operating system caches from the session ID cache table. IIS also purges all the connection information that is negotiated between the client and the server.
When a client tries to resume an SSL/TLS session by using the previous session ID, the server cannot locate the connection information in the cache. Therefore, the client must renegotiate the connection. Additionally, the client must obtain a new session ID.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To resolve this problem, enable Kernel Mode SSL on each server that is running IIS 6.0. To do this, follow these steps:
- Start Registry Editor.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
- Create the following registry entry under this subkey:
- Name: EnableKernelSSL
- Value type: REG_DWORD
- Value data: 0x1
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The Windows operating system maintains an SSL/TLS Session ID cache table. Windows maintains this table as a First In/First Out (FIFO) list. The default value is 10,000 entries. Entries have a maximum lifetime of ten hours if the entries are not purged from the list in favor of newer entries. The Session ID cache table has the following configurable settings:
- To change the maximum number of entries in the Session ID cache table, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- Name: MaximumCacheSize
- Value type: REG_DWORD
When you set the value for the MaximumCacheSize registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to an SSL/TLS session. When you set the value of the MaximumCacheSize registry key to a number that is larger than the default value of 10,000, the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 kilobytes (KB) of memory. - To change the maximum lifetime of the cache entries, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- Name: ServerCacheTime
- Value type: REG_DWORD
- Value data: The number of milliseconds that you want the cache entries to exist
When you set the value for the ServerCacheTime registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to a SSL/TLS session. When you set the value of the ServerCacheTime registry key to a number that is larger than the default value of 36,000,000 milliseconds (ten hours), the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 KB of memory.
For more information about SSL/TLS registry settings and tools, visit the following Microsoft Web site:
For more information about Kernel-Mode SSL in IIS 6.0, visit the following Microsoft Web site:
APPLIES TO
- Microsoft Internet Information Services 6.0
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate