On Saturday 07 November 2009, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
> > > -BrowserMatch ".*MSIE.*" \
> > > - nokeepalive ssl-unclean-shutdown \
> > > - downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > > + downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> > >
> > > # Per-Server Logging:
> > > # The home of a custom SSL log file. Use this when you want
> > > a
> >
> > Do we really know that IE >= 6 do not need these additional
> > options any longer?
>
> The bug about SSL renegotiation got fixed in one of the IE 6
> earlier versions, so some of the very very old versions of IE 6
> won't work, but the market share of these versions if effectively
> 0%.
>
> If you google for it you'll find some people recommending the use
> of the above configuration, and I've been using it on various
> sites since a few years without any problems.
>
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS
> server.
Shouldn't you use something like this?
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will happen
in the not too distant future.
BTW, I am not so sure that MSIE 6 works reliably with keepalive in all
situations (e.g. with proxys, plugins, etc.). Therefore I would
actually prefer [2-6] and [17-9].
Cheers,
Stefan
