Full_Name: Martin Dickau
Version: 2.7.2.2
OS: Windows 2000
Submission from: (NULL) (216.57.24.244)
We are experiencing an MSIE 5.x connection failure problem similar to what
others are reporting. There is a timing aspect to the problem, however.
Environment: OpenSA 1.0.0b3 (Apache 1.3.14, OpenSSL 0.9.6, mod_ssl 2.7.2.2) on
Windows 2000 Advanced Server. The various httpd.conf changes suggested in the
FAQ (nokeepalive/downgrade-1.0 and !EXPORT56 in the cipher list) have been
applied without effect.
Primary symptom: Some IE 5.x (particularly 5.0x) either cannot connect to our
site at all ("cannot find server or DNS error") or get through the first couple
of pages and then get the same error. The common thread is that these people
are going over a slow connection (dial-up or relatively low bandwidth DSL).
Some of these configurations work fine when connected to a high-speed line (we
have users with laptops that work at the office and fail at home, for example).
In attempting to diagnose this problem, we discovered that changing the log
levels in the server can actually cause the client to see different results.
Normally, we run with LogLevel error (piped through rotatelogs), no SSLLog at
all, and no CustomLog/TransferLog. We have two virtual hosts, one on port 80
that does not override the logging, one on port 443 that creates a second error
log for the SSL accessors.
We have found that setting SSLLogLevel debug causes some pages that reliably
produce the error to suddenly become accessible. Furthermore, setting ErrorLog
debug and setting up CustomLog causes all pages to become accessible. All of
this over the very same dial-up session producing the error in the first place.
(At this point, we were also able to turn logging levels back down and cause the
error to reappear).
We also tried stepwise increments of SSLLogLevel, and it was only debug that
made a difference.
Snippets of the httpd.conf:
Timeout 300
KeepAlive On
KeepAliveTimeout 15
SSLSessionCache dbm:logs/ssl/scache
SSLSessionCacheTimeout 300
SSLMutex sem
<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:!NULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
Thanks,
Martin
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
