On Mon, Oct 30, 2000 at 12:15:41AM +0100, [EMAIL PROTECTED] wrote:
> Full_Name: karl berry
> Version: 2.7.1-1.3.14
> OS: solaris 2.7
> Submission from: (NULL) (63.227.208.155)
>
>
> when connecting to a mod_ssl-enabled server with versions of
> internet explorer 5.00.2614.3500IC or below, going through a cisco
> local director, we get broken images or page-not-found errors
> with some frequency, on something like 1% of the connections.
>
> it is not reproducible in the sense that the same images will break
> every time through. it is reproducible in the sense that, sooner
> or later, some connection will be dropped.
>
> the problem only happens when all three of the above elements are
> present. if we use a later version of explorer, the bug does not
> happen. if we use dns round robin instead of the local director,
> the bug does not happen. unfortunately, we need to find a workaround
> that *includes* the affected explorer versions (very common), and the
> local director, due to circumstances beyond my control. so i am
> looking for a solution that just involves apache and mod_ssl.
>
> we are already doing the steps mentioned in the faq, specifically
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
> f$
> (without that, things are much worse).
>
> snooping the network interface shows that a tcp connection is opened
> for every image to the server, but that the connection for the broken
> image does not make it back out from apache. i do not know whether
> it gets into apache in the first place, or whether it is apache-level
> code or the solaris kernel that is dropping the connection.
>
> if anyone has any clues on how to determine that, as in what apache
> or ssl files/functions are the most likely avenues to pursue, i'd
> be grateful. or any other approaches to the problem, of course.
>
I have a feeling that this might be because the Local Director is sending
requests from the client to different servers, and then the previously
negotiated session is not valid on the other server. Start by checking
yourr Cisco setup to make sure that all requests from one client is sent
to the same server. Next set SSLLogLevel to debug (which will tell you
wether there is a session cache hit or not) and try it out both with
and without SSLSessionCache. BTW which type of session cache have you
set up the server to use now?
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
