As you know, we've discovered nasty problems with MSIE clients which seem to
be related to the recently fixed SSL close notify stuff. Because the current
code _IS_ already correct and standard compliant, I cannot change anything to
make MSIE happy again. Nevertheless we need a solution. So I've today thought
about the situation and found a practical solution which will occur with
2.2.7: The behaviour on connection close can be now adjusted on a per request
basis. This way one can for instance force a different type of shutdown
approach for MSIE clients.
Bascially there are three approaches: 1. the unclean approach where no close
notify alerts are send or received (violates the SSL/TLS standard), 2. the
accurate approach where close notify alert is send and the close notify of the
client received (can cause hanging connections) and 3. (the default!) where
mod_ssl sends the close notify but doesn't wait for the clients close notify
(which _IS_ standard compliant!). Approach 1.) can be forced with a variable
ssl-unclean-shutdown and 2.) can be forced with a variable
ssl-accurate-shutdown.
So, those of you who've still problems with MSIE clients, should now apply the
appended patch to ssl_engine_kernel.c and add the following line to the
SSL-aware virtual host:
SetEnvIf User-Agent "^MSIE.*" ssl-unclean-shutdown
This forces mod_ssl 2.2.6 to the behave like mod_ssl 2.1 on connection close
and this way should solve the MSIE problems. Additionally
you can use
SetEnvIf User-Agent "^MSIE.*" nokeepalive
to avoid keep-alive situations with MSIE. Please try this out and give me
feedback. I've already applied the patch and the above two directives to the
server on en4.engelschall.com, so for a quick test, those who still had
problems there can now again connect to https://en4.engelschall.com/ with the
MSIE clients and try again. I really hope the problems are now gone. When
not, I've no more clue what we can do...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: ssl_engine_kernel.c
===================================================================
RCS file: /e/modssl/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- ssl_engine_kernel.c 1999/03/23 09:52:45 1.75
+++ ssl_engine_kernel.c 1999/03/28 18:50:09 1.76
@@ -438,6 +438,7 @@
void ssl_hook_CloseConnection(conn_rec *conn)
{
SSL *ssl;
+ char *cpType;
ssl = ap_ctx_get(conn->client->ctx, "ssl");
if (ssl == NULL)
@@ -475,8 +476,28 @@
* 4.x) don't send one, so we would hang.
*/
- /* send close notify message */
- SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ /*
+ * exchange close notify messages, but allow the user
+ * to force the type of handshake via SetEnvIf directive
+ */
+ if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == (void *)1) {
+ /* perform no close notify handshake at all
+ (violates the SSL/TLS standard!) */
+ SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+ cpType = "unclean";
+ }
+ else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == (void
+*)1) {
+ /* send close notify and wait for clients close notify
+ (standard compliant, but usually causes connection hangs) */
+ SSL_set_shutdown(ssl, 0);
+ cpType = "accurate";
+ }
+ else {
+ /* send close notify, but don't wait for clients close notify
+ (standard compliant and safe, so it's the DEFAULT!) */
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ cpType = "standard";
+ }
SSL_smart_shutdown(ssl);
/* deallocate the SSL connection */
@@ -485,8 +506,8 @@
/* and finally log the fact that we've closed the connection */
ssl_log(conn->server, SSL_LOG_INFO,
- "Connection to child %d closed (server %s)",
- conn->child_num, ssl_util_vhostid(conn->pool, conn->server));
+ "Connection to child %d closed with %s shutdown (server %s)",
+ conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server));
return;
}
@@ -529,6 +550,9 @@
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
return DECLINED;
+ /*
+ * Log information about incoming HTTPS requests
+ */
ssl_log(r->server, SSL_LOG_INFO,
"%s HTTPS request received for child %d (server %s)",
r->connection->keepalives <= 0 ?
@@ -537,6 +561,19 @@
r->connection->keepalives+1),
r->connection->child_num,
ssl_util_vhostid(r->pool, r->server));
+
+ /*
+ * Move SetEnvIf information from request_rec to conn_rec/BUFF
+ * to allow the close connection handler to use them.
+ */
+ if (ap_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
+ ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", (void
+*)1);
+ else
+ ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", (void
+*)0);
+ if (ap_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
+ ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", (void
+*)1);
+ else
+ ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", (void
+*)0);
return DECLINED;
}
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
