Microsoft KB Archive/937687

= Web clients cannot resume SSL sessions or TLS sessions with IIS 6.0 =

Article ID: 937687

Article Last Modified on 7/11/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
Web clients intermittently cannot resume Secure Sockets Layer/Transport Layer Security (SSL/TLS) sessions with Internet Information Services (IIS) 6.0. When the failure occurs, clients must renegotiate the SSL/TLS session, and a new session ID is assigned.

This issue primarily affects Web server farms if the following conditions are true:
 * The Web server farms are behind SSL load balancers.
 * The SSL load balancers use the SSL/TLS session ID to route traffic to specific servers.

Single Web server scenarios experience minimal effect.



CAUSE
This problem occurs because IIS 6.0 purges SSL/TLS session IDs from the session ID cache table.

IIS 6.0 maintains objects in memory to track each incoming Web connection. After five minutes of idle time, these objects are destroyed to reclaim resources. During this process, IIS purges the SSL/TLS session ID that the operating system caches from the session ID cache table. IIS also purges all the connection information that is negotiated between the client and the server. When a client tries to resume an SSL/TLS session by using the previous session ID, the server cannot locate the connection information in the cache. Therefore, the client must renegotiate the connection. Additionally, the client must obtain a new session ID.



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, enable Kernel Mode SSL on each server that is running IIS 6.0. To do this, follow these steps:  Start Registry Editor. Locate and then click the following registry subkey:

 Create the following registry entry under this subkey:  Name: EnableKernelSSL Value type: REG_DWORD Value data: 0x1</li></ul> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The Windows operating system maintains an SSL/TLS Session ID cache table. Windows maintains this table as a First In/First Out (FIFO) list. The default value is 10,000 entries. Entries have a maximum lifetime of ten hours if the entries are not purged from the list in favor of newer entries. The Session ID cache table has the following configurable settings: <ul> To change the maximum number of entries in the Session ID cache table, locate and then click the following registry subkey:

Create the following registry entry under this subkey: <ul> Name: MaximumCacheSize</li> Value type: REG_DWORD</li></ul>

When you set the value for the MaximumCacheSize registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to an SSL/TLS session. When you set the value of the MaximumCacheSize registry key to a number that is larger than the default value of 10,000, the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 kilobytes (KB) of memory.</li> To change the maximum lifetime of the cache entries, locate and then click the following registry subkey:

Create the following registry entry under this subkey: <ul> Name: ServerCacheTime</li> Value type: REG_DWORD</li> Value data: The number of milliseconds that you want the cache entries to exist</li></ul>

When you set the value for the ServerCacheTime registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to a SSL/TLS session. When you set the value of the ServerCacheTime registry key to a number that is larger than the default value of 36,000,000 milliseconds (ten hours), the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 KB of memory.</li></ul>

<div class="references_section">