Hello,
We here at Aventail have noticed a problem with some SSL session resumptions
between IE and Apache + mod_ssl + OpenSSL. We've seen this problem when using
IE 4.x, 5.0 and 5.5 on Windows 95 and 98. We haven't tested this with Windows
ME or 2000. Windows NT doesn't appear to have this problem. Though our tests
are far from scientific or conclusive, and all of this may matter not. We are
using mod_ssl version 2.1.3 with considerable patches and OpenSSL version
0.9.5a on sparc Solaris 2.6. Client certs are not involved.
The problem is that "on occasion" IE will renegotiate a session (because IE
does this every two minutes), shortly thereafter resume this session (to
fetch images, frame sources, etc.), and after having received a what we think
to be a proper response from the server simply close the connection. This
behaviour will continue (for example if the refresh button is pressed) until
two minutes have passed and IE renegotiates a new session.
Our test website contains numerous frames, large HTML documents, and images.
To the end user, when this failure occurs either broken images appear, a
dialog box appears that says there is a mix of secure and non-secure content
(because IE is attempting to draw its own res:... content to say that there
was a failure), or that the top-level frame fails to load and IE loads its
own res:... error message.
This[1] is an ethereal trace of the problem.
So, my question is simply "Has anyone seen this problem before?".
Thank You,
Tom
[1] http://www.vaughan.to/tmp/
--
Tom Vaughan <tom at vaughan dot to>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
