In article <[EMAIL PROTECTED]> you wrote:
> I believe I'm encountering this problem and have been reading over
> some of the old messages.
>
> Question: some of the messages say that the fix involves setting
> both ssl-unclean-shutdown *and* nokeepalive for MSIE browsers,
> while some other messages seem to say it's ok to just use
> ssl-unclean-shutdown but leave keepalives enabled. Having to
> turn off keepalives kills performance, of course. (I have to
> serve SSL pages with a lot of small embedded gif's and can't
> afford a separate SSL setup for each gif).
>
> Can anyone (Ralf?) say what the story is about this? Do I have
> to turn off keepalives? Any idea how to go about searching for
> another solution? I'm trying to set up a high traffic site, so
> leaving keepalives permanently off isn't acceptable. I believe
> I have a copy of Microsoft IIS available, so if necessary I can
> try to figure out what it's doing when an MSIE browser connects.
> If it comes to that, some advice/collaboration would be appreciated,
> but let's hope it isn't necessary.
Some weeks ago I've established a testserver and we let people connect with
lots of browsers. The result was that most newer MSIE browsers failed with I/O
errors. After tracing down the problem it was clear that it's related to the
shutdown sequence. But it occured only under certain cicumstances and with
some browser versions. Especially when mod_ssl performs a correct shutdown
after POST requests, i.e. sends the close notify alert, MSIE presents the I/O
error. When one does an unclean shutdown here (i.e. not sending the close
notify alert) MSIE still complains. When we avoid keeplive, it then worked.
That's why per default the best workaround (to avoid any problems) was to both
disable keepalive and use an unclean shutdown for MSIE browsers. But it's
correct, that disabling keepalives isn't always needed. OTOH using an unclean
shutdown seems also not needed _always_. But we were not able to exactly find
out under which situations MSIE just has problems with the keeplive stuff and
under which only with the close notify alert.
So, when you want to remove the disabling of keepalives you've to find out
what specific request combinations are buggy in MSIE and which are not. And
then disable keepalive only for particular requests (when possible).
Finally, keep in mind: The unclean shutdown is against the SSL/TLS
specification. That's why mod_ssl doesn't do this per default and will not do
it in the future. It's a problem of MSIE and not mod_ssl/OpenSSL. For security
reasons related to the session resumptions the server has to send the close
notify message.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
