Microsoft KB Archive/265369

= Internet Explorer Renegotiates Secure Sockets Layer Connection Every Two Minutes =

Article ID: 265369

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Windows 95
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows NT 4.0

-



This article was previously published under Q265369



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you connect by using a Secure Sockets Layer (SSL) session with Microsoft Internet Explorer, the SSL session is renegotiated every two minutes. You are generally not aware of this behavior, but it may be noticeable if you are using basic authentication over the SSL connection. In this case, the basic authentication dialog box prompts you to supply your credentials every two minutes.



CAUSE
In Microsoft Internet Explorer on Microsoft Windows NT 4.0, the SSL cache time-out interval is set to renegotiate every two minutes. This forces a full SSL handshake. With SSL, either the client or the server can start the renegotiation process. This interval is determined by the shortest SSL time-out value (either on the client or on the server). Since Internet Explorer has a two-minute interval, Internet Explorer forces the renegotiation of the SSL session every two minutes, regardless of the setting on the server.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:   Date       Version         Size     File name     Platform -  09/7/2000  4.86.1964.1877  154,384  Schannel.dll  Intel (40-bit) 09/7/2000 4.87.1964.1877  123,664  Schannel.dll  Intel (128-bit) NOTE: This fix requires Internet Explorer 5.01 or later. If you are experiencing this problem in Internet Explorer 5, you must upgrade to Internet Explorer 5.01 or later before you install this hotfix. You must also reapply this hotfix each time that you upgrade Internet Explorer.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can control this behavior on the client by changing a registry setting. As described in the following Microsoft Knowledge Base article, you can add the ClientCacheTime DWORD value. You must add this value on each client computer:

247658 How to Configure Secure Sockets Layer Server and Client Cache Elements

To increase the SSL time-out value:  Start Registry Editor (Regedt32.exe). Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

 On the Edit menu, click Add Value. Type ClientCacheTime, click the REG_DWORD data type, and then click OK.</li> In the Data box, type a decimal value in milliseconds, and then click OK.</li></ol>

The value is calibrated in milliseconds. The default value is &quot;120000&quot; (two minutes). The keys are not displayed in the registry unless you change them from their default values. A value of &quot;0&quot; disables secure connection caching.

The key locations and values apply to all versions of the Schannel.dll file. Keep the interval on the server short for better management of the overall size of the Schannel cache.

NOTE: This problem does not occur in Microsoft Windows 2000 and Microsoft Windows Millennium Edition.

Additional query words: 5.0 5.01 SP1 SP2 5.5 6.0

Keywords: kbhotfixserver kbqfe kbenv kbprb KB265369

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.