MSIE clients with broken SSL close notify

Mon, 31 May 1999 06:14:19 -0700 

Hi,

I just read the thread "Practical solution for MSIE problems!?" which was
back around 3/28/99 after bumping to the below line in the SSL httpd.conf
configuration file in the SSL VHost.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

I understand that this is a workaround for a SSL shutdown problem with MSIE
that results from keepalive connections. Specifically that the problem is a
combination of keep-alive and SSL-close-stuff in MSIE:

Ralf wrote:
> > 6) If one disables keep-alives the problem doesn't exists.
>
> Yes, as I said: The problem is a _combination_ of keep-alive and SSL close
> notify alerts.

John Hamlik discovered that the problem could be fixed by just disabling
keepalive connections with MSIE.

I want to know if I can solve the problem with just the ssl-unclean-shutdown
flag. I hate to disable the keepalive functionality because of the
performance hit it would create. If the problem is simply a combination of
the shutdown and the keepalive, then I'd rather change the shutdown than
disable keepalive.

However, I'm not sure if this really works. If I try to solve the problem
this way, will the MSIE clients still get errors? Perhaps
ssl-unclean-shutdown just protects the server from MSIE's goof, but MSIE
still goofs. I simply don't know.

(I tried to do some testing, but could not duplicate any errors in my MSIE
when I removed the fix-up SetEnvIf line.)

Ralf wrote the following, which hints at some stuff:

Ralf wrote:
> So, those of you who've still problems with MSIE clients, should now apply
the
> appended patch to ssl_engine_kernel.c and add the following line to the
> SSL-aware virtual host:
>
>    SetEnvIf User-Agent "^MSIE.*" ssl-unclean-shutdown
>
> This forces mod_ssl 2.2.6 to the behave like mod_ssl 2.1 on connection
close
> and this way should solve the MSIE problems. Additionally
> you can use
>
>    SetEnvIf User-Agent "^MSIE.*" nokeepalive
>
> to avoid keep-alive situations with MSIE.

What are "keep-alive situations with MSIE"? Can someone clarify what is
going on, please.

 - David Harris
   Principal Engineer, DRH Internet Services


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to