Here is a more complete description of the problem, aligned with my latest
tests.
As the situation is very fuzzy, do not hesitate to answer if you found
additional info.
General Apache configuration to reproduce the problem:
<VirtualHost _default_:443>
SSLVerifyClient none
<Location /subdir/>
SSLVerifyClient require
</Location>
</VirtualHost>
Actions to reproduce the original problem:
- go to https://myserver/index.html
- go to https://myserver/subdir/post.html (a page that posts some data)
- wait at least 1 min. before clicking to post the data
Different flavours of IE 6/SSL:
Regarding SSL handling, we have several flavours of IE 6.
I'll give a time-sorted list, with totally "proprietary" naming convention
referring to bugs descriptions below:
- flavour 1: containing bug 1 & 2
- flavour 2: containing bug 1, but not 2
- flavour 3: containing nor bug 1, neither 2 - incompatible with bug 1
work-around
- flavour 4: containing nor bug 1, neither 2, but compatible with
work-around for bug 1
Bugs descriptions:
1. If you don't use the 'ssl-unclean-shutdown' directive, some old versions
of IE 6 (flavours 1 & 2) cannot connect to
'https://myserver/subdir/post.html' because of an incompatibility with SSL
standard in the re-negociation mechanism.
This is the same problem as with IE 4 & 5.
If you use the directive, these versions can connect correctly but some
newer versions (flavour 3) cannot connect.
2. If you don't use the 'nokeepalive' directive, some old versions of IE 6
(flavour 1) loose their form data if waiting too long (sometimes more than
15 s) before submitting it (see MS KB 831167).
If you use the directive, it works correctly, also with all other versions
of IE.
Instead of this directive, we can also extend the keep-alive interval to
more than 1 min.
When to use the directives ?
It seems a good practice to disable keep-alive for all IE browsers, even if
some support it correctly, although I'm not sure about the performance
impact. Shouldn't we instead increase the keep-alive interval ? Are there
some other problems with keep-alive ?
For the 'ssl-unclean-shutdown', there are only 2 possibilities, as there is
no way (at least none I'm aware of) of distinguishing between IE 6 flavours:
1. always use it for all IE versions: SetEnvIf User-Agent ".*MSIE.*"
ssl-unclean-shutdown
This will work with most of versions of IE, except flavour 3.
As flavour 3 is post-SP2, I expect most of these browsers to be updated with
Windows Update - or at least I could request my clients to do it
2. use it only for IE 4/5: SetEnvIf User-Agent ".*MSIE. [45]*"
ssl-unclean-shutdown
This will work with all versions of IE, but not with flavour 1 & 2.
As flavour 1/2 is pret-SP2, there may be a big number of machines still at
this level, especially in companies.
As you can see, no solution is totally perfect, but the first one may be
better.
Btw, I did not try with IE 7, but I expect it to not have bug 1, and to
correctly support SSL re-negociation, so we should use:
SetEnvIf User-Agent ".*MSIE [456].*" ssl-unclean-shutdown nokeepalive
Marc
