Query: Scandium DTLS session timeout

[kiranpradeep]

The LeastRecentlyUsedCache used for saving connections have an expiration threshold of 36 hours. I assume this implies if a client sleeps for more than 36 hours and then wakes to send a data packet, it would be discarded and client will need to reconnect. I tried a quick incomplete read of the RFC 6347 and couldn't find points about a need for session timeout.

Is this session timeout mandatory. Why are not we letting the session stay for ever until LRU capacity is reached? Or is my understanding wrong ? Kindly let me know if this query has to go to a mailing list.

[sbernard31]

The TLS 1.2 spec say:
"An upper limit of 24 hours is suggested for
session ID lifetimes, since an attacker who obtains a master_secret
may be able to impersonate the compromised party until the
corresponding session ID is retired."
By the way we should maybe set it to 24 by default.

I suppose you already see that but you can configure the threshold with an adapted value for your use case. setExpirationThreshold
If you don't want expiration (not really recommended ;)) you could implement your own ConnectionStore.

About the mailing list vs github issue:
Mailing list is more for asking questions (like this one)
github issue to report bugs (or request enhancement)

[kiranpradeep]

@sbernard31 Thanks.