Re: [AOLSERVER] maxkeepalive in 4.01
From: Rob Crittenden [EMAIL PROTECTED] Gustaf Neumann wrote: we use pound as a reverse proxy, which handles all incoming SSL connection and feeds currently two backend servers via plain http. This works very well, today we had more the 3mio SSL requests on our system. I'm confused. In your first message it seemed like AOLserver was handling the SSL connection, now it isn't? How is this an issue with AOLserver if you have a proxy handling the SSL connection? It is the same issue: if AOLserver is keeping the connection to pound (the reverse proxy) open, pound keeps it open to the client (or some other proxy in between). The connection from AOLserver to pound is http, while the outgoing one is SSL based. IE has problems with keepalive+SSL+forms, no matter whether the connection comes from an AOLserver, pound, apache or whatever. So it is no issue (in the sense of problem or bug) with aolserver per se, but unfortunately an aolserver operator has to handle this situation. -gustaf PS: Btw, the situation could be solved by a proxy in front of IE (e.g. on the client's machine) that does the SSL decryption for IE. However, for most most people this is no option, handling of unknown certificates would not be simple. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] maxkeepalive in 4.01
Dear aolserver community, We had a problem with ssl and microsoft IE where form contents (either transmitted via POST or GET) were omitted by the browser under certain conditions (keep alive set, the reply of the form was transmitted not immediately, by in CLOSE_WAIT state). In aolserver 3.* we used maxkeepalive = 0 in the config file to deactivate the keepalive, but in aolserver 4.1 this option appears roughly to be a noop: [~/aolserver-4.1]$ fgrep maxkeep */*.c nsd/nsconf.c:nsconf.keepalive.maxkeep = GetInt(maxkeepalive, KEEPALIVE_MAXKEEP_INT); Setting keepalivetimeout to 0 helped in our situation with 4.1. Due to the mess with IE (multiple problems appear to be in multiple versions for multiple windows versions) ssl + keepalive is currently - and most likely for a while - a nono. It tooks us some time to track down the problem, maybe this mail helps others (item for FAQs?). best regards -gustaf neumann PS: We have still a problem with 4.1 with a memleak. Our server grows with the speed of about 2MB/minute with 4.1, while essentially the same code worked without leak with 3.*. Do others have similar experiences? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] maxkeepalive in 4.01
Gustaf, MSIE versions are riddled with problems. Ensure SSL session caching is turned on. Looking at the sources, keepalivetimeout is the correct parameter for AOLserver 4.x -- setting this to 0 disables keepalive entirely. Also, MSIE 6.x has intermittent POST problems with the behavior you mentioned (though GET should work fine). Go see previous discussions in this forum; I'm pasting here for convenience: Here's the pertinent text from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx Why am I getting errors when attempting to access certain SSL protected Web Sites? After installing the Internet Explorer 6.0 SP1 version of this update, there may be intermittent failures of POST requests to SSL protected sites. This may cause some users to receive an HTTP 500 (Internal server error) while attempting to access certain Web Sites. Microsoft is aware of this issue and has released an update. Information on obtaining this update may be found in the Knowledge Base Article 831167. This update will be included in future Cumulative Security Updates for Internet Explorer. The fix is here and must be applied to MSIE: http://support.microsoft.com/default.aspx?kbid=831167 /s. On Apr 20, 2004, at 6:55 AM, Gustaf Neumann wrote: Dear aolserver community, We had a problem with ssl and microsoft IE where form contents (either transmitted via POST or GET) were omitted by the browser under certain conditions (keep alive set, the reply of the form was transmitted not immediately, by in CLOSE_WAIT state). In aolserver 3.* we used maxkeepalive = 0 in the config file to deactivate the keepalive, but in aolserver 4.1 this option appears roughly to be a noop: [~/aolserver-4.1]$ fgrep maxkeep */*.c nsd/nsconf.c:nsconf.keepalive.maxkeep = GetInt(maxkeepalive, KEEPALIVE_MAXKEEP_INT); Setting keepalivetimeout to 0 helped in our situation with 4.1. Due to the mess with IE (multiple problems appear to be in multiple versions for multiple windows versions) ssl + keepalive is currently - and most likely for a while - a nono. It tooks us some time to track down the problem, maybe this mail helps others (item for FAQs?). best regards -gustaf neumann PS: We have still a problem with 4.1 with a memleak. Our server grows with the speed of about 2MB/minute with 4.1, while essentially the same code worked without leak with 3.*. Do others have similar experiences? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] maxkeepalive in 4.01
Hi Scott, Gustaf, MSIE versions are riddled with problems. Ensure SSL session caching isturned on. we use pound as a reverse proxy, which handles all incoming SSL connection and feeds currently two backend servers via plain http. This works very well, today we had more the 3mio SSL requests on our system. Looking at the sources, keepalivetimeout is the correctparameter for AOLserver 4.x -- setting this to 0 disables keepaliveentirely. right. i just wanted to hint that maxkeepalive - which worked for the same purpose in 3.* - is in current 4.x versions more or less a noop. Also, MSIE 6.x has intermittent POST problems with the behavior youmentioned (though GET should work fine). Go see previous discussions inthis forum; I'm pasting here for convenience: Here's the pertinent text from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx ... http://support.microsoft.com/default.aspx?kbid=831167For what i can tell, the situation is even more complicated. i have on my notebook a version of IE with the mentioned patch installed, and i could still get this error (not when the TCP-connection was completly terminated, only in the CLOSE_WAIT state). There seem to be older and newer versions with and without that bug. We saw also the problem with some GET requests in the logfile (we wrote the request from the error branch of the ns_form handling in oacs to the errorlog). i am still puzzeled about the severity of the problem, the mess is hard to believe; everybody running an eshop must have this problem. -gustaf -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] maxkeepalive in 4.01
Gustaf Neumann wrote: we use pound as a reverse proxy, which handles all incoming SSL connection and feeds currently two backend servers via plain http. This works very well, today we had more the 3mio SSL requests on our system. I'm confused. In your first message it seemed like AOLserver was handling the SSL connection, now it isn't? How is this an issue with AOLserver if you have a proxy handling the SSL connection? Looking at the sources, keepalivetimeout is the correct parameter for AOLserver 4.x -- setting this to 0 disables keepalive entirely. right. i just wanted to hint that maxkeepalive - which worked for the same purpose in 3.* - is in current 4.x versions more or less a noop. I think you're right. The value is set but never used. To disable keepalives in 4.x set keepalivetimeout to 0. rob -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.