Akins, Brian wrote:
> Not the most appropriate forum, but we are willing to pay a reward to
> someone who can definitively help use with a mod_ssl (Apache 2.0.54) and IE
> issue. It seems to only affect older versions (5.5 and early 6).
For reference:
[Mon Jun 20 20:23:23 2005] [debug] ssl_engine_io.c(1522): OpenSSL: I/O
error, 11 bytes expected to read on BIO#87b01f8 [mem: 880daa8]
[Mon Jun 20 20:23:23 2005] [debug] ssl_engine_kernel.c(1813): OpenSSL: Exit:
error in SSLv2/v3 read client hello A[Mon Jun 20 20:23:23 2005] [info]
(70014)End of file found: SSL handshake interrupted by system [Hint: Stop
button pressed in browser?!]
Apache config:
from standard apache config
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully#ssl global options
SSLPassPhraseDialog exec:/opt/apache/https-relay/config/https.password
SSLSessionCache dbm:/logs/https-relay.ssl_session_cache
SSLSessionCacheTimeout 600
SSLMutex semListen 443
<VirtualHost *:443>
ServerName xxxxxxxxx.com
SSLEngine on
SSLCertificateFile /opt/apache/https-relay/config/xxxxxx.crt
SSLCertificateChainFile /opt/apache/https-relay/config/intermediate.crt
SSLCertificateKeyFile /opt/apache/https-relay/config/xxxxxxxxx.keySetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
--
Brian Akins
Lead Systems Engineer
CNN Internet Technologies
A couple of quick points (maybe you're tried them all already)
- Check with truss/tusc to see if read is timing out at system level (system read buffers may be getting full)
- Did you try tracking what is happening with the SSL protocol using ssldump ?. You can probably start analyzing the protocol bits going across.
- Did you check if IE is mis-behaving and ignoring the 'no-keepalive' flag ?
- (May not mean much) Can you enable & disable HTTP/1.1 in IE and analyze traffic using ssldump ?
If you send me across the ssldump output,I can try to see what might be going wrong.
-Madhu
On 6/20/05, Akins, Brian <[EMAIL PROTECTED]> wrote:
- Re: Reward SSL and IE Madhusudan Mathihalli
- Re: Reward SSL and IE Jeff White
- Re: Reward SSL and IE William A. Rowe, Jr.
- Re: Reward SSL and IE William A. Rowe, Jr.
- Re: Reward SSL and IE Akins, Brian
