>> You can try just:
>> SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
>>
>>> Why does it affect https but not http?
>>
>> Don't ask me: It's a problem in MSIE AFAIK.
What does the shutdown sequence in Apache with mod_ssl look like?
With a different SSL application, I have observed strange behaviour
with Netscape Navigator (version 4.5). When the server has closed the
connection (because its HTTP keepalive time is up) by sending a
closure alert, Netscape still tries to read more data from the server
-- it just ignores the alert. Of course the server has stopped
sending data and just ignores any new request sent by the client. To
circument this Netscape problem, the server must send a TCP FIN after
the close_notify alert; only then Netscape sends its own close_notify,
and the connection finally ends cleanly.
What makes things more difficult is that the browser keeps connections
half-closed (without knowing that its TCP received a FIN) for a long
time while it does not need them -- it does not probe them for closure
alerts or FINs. As the server probably wants its TCP to go to CLOSED
state instead of sleeping in FIN-WAIT-2 state, it has to do a
half-duplex TCP close after some time-out period (which means that the
client will get a RST as soon as it tries to send its next request --
in this case, it appears very likely that the client does not even
look at the closure alert that its TCP received). Since the server
does not receive a close_notify from the client, such sessions become
unresumable according to the TLS specification.
Did Microsoft really invent a unique way of getting things wrong, or
are the IE problems similar to this?
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
