diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9efd6025d..289e99a34 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -860,6 +860,14 @@ tune.ssl.cachesize <number>
   allocated upon startup and are shared between all processes if "nbproc" is
   greater than 1.
 
+tune.ssl.lifetime <timeout>
+  Sets how long a cached SSL session may remain valid. This time is expressed
+  in seconds and defaults to 300 (5 mn). It is important to understand that it
+  does not guarantee that sessions will last that long, because if the cache is
+  full, the longest idle sessions will be purged despite their configured
+  lifetime. The real usefulness of this setting is to prevent sessions from
+  being used for too long.
+
 tune.zlib.memlevel <number>
   Sets the memLevel parameter in zlib initialization for each session. It
   defines how much memory should be allocated for the intenal compression
diff --git a/include/types/global.h b/include/types/global.h
index 3cd077245..f2a010267 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -114,6 +114,7 @@ struct global {
 		int max_http_hdr;  /* max number of HTTP headers, use MAX_HTTP_HDR if zero */
 #ifdef USE_OPENSSL
 		int sslcachesize;  /* SSL cache size in session, defaults to 20000 */
+		unsigned int ssllifetime;   /* SSL session lifetime in seconds */
 #endif
 #ifdef USE_ZLIB
 		int zlibmemlevel;    /* zlib memlevel */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 0ca7a6f97..4ee5f89c9 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -571,6 +571,26 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		}
 		global.tune.sslcachesize = atol(args[1]);
 	}
+	else if (!strcmp(args[0], "tune.ssl.lifetime")) {
+		unsigned int ssllifetime;
+		const char *res;
+
+		if (*(args[1]) == 0) {
+			Alert("parsing [%s:%d] : '%s' expects ssl sessions <lifetime> in seconds as argument.\n", file, linenum, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		res = parse_time_err(args[1], &ssllifetime, TIME_UNIT_S);
+		if (res) {
+			Alert("parsing [%s:%d]: unexpected character '%c' in argument to <%s>.\n",
+			      file, linenum, *res, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		global.tune.ssllifetime = ssllifetime;
+	}
 #endif
 	else if (!strcmp(args[0], "tune.bufsize")) {
 		if (*(args[1]) == 0) {
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 75f7b5d88..f6c410f34 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -561,6 +561,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 #endif
 	}
 
+	if (global.tune.ssllifetime)
+		SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
+
 	shared_context_set_cache(ctx);
 	if (bind_conf->ciphers &&
 	    !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
@@ -702,6 +705,9 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 #endif
 	}
 
+	if (global.tune.ssllifetime)
+		SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
+
 	SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
 	if (srv->ssl_ctx.ciphers &&
 		!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {