Re: ModSSL and IE5.0 and Keepalive
>> You can try just: >> SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown >> >>> Why does it affect https but not http? >> >> Don't ask me: It's a problem in MSIE AFAIK. What does the shutdown sequence in Apache with mod_ssl look like? With a different SSL application, I have observed strange behaviour with Netscape Navigator (version 4.5). When the server has closed the connection (because its HTTP keepalive time is up) by sending a closure alert, Netscape still tries to read more data from the server -- it just ignores the alert. Of course the server has stopped sending data and just ignores any new request sent by the client. To circument this Netscape problem, the server must send a TCP FIN after the close_notify alert; only then Netscape sends its own close_notify, and the connection finally ends cleanly. What makes things more difficult is that the browser keeps connections half-closed (without knowing that its TCP received a FIN) for a long time while it does not need them -- it does not probe them for closure alerts or FINs. As the server probably wants its TCP to go to CLOSED state instead of sleeping in FIN-WAIT-2 state, it has to do a half-duplex TCP close after some time-out period (which means that the client will get a RST as soon as it tries to send its next request -- in this case, it appears very likely that the client does not even look at the closure alert that its TCP received). Since the server does not receive a close_notify from the client, such sessions become unresumable according to the TLS specification. Did Microsoft really invent a unique way of getting things wrong, or are the IE problems similar to this? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL and IE5.0 and Keepalive
On Tue, May 18, 1999, Albert Steiner wrote: > SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown > works. > Where is the documentation for this? I looked around the site, at the > manual and FAQs and found nothing I recognized about this. Then you should read the FAQ more carefully ;) In detail: http://www.modssl.org/docs/2.3/ssl_faq.html#io-error Additionally even the provided httpd.conf-dist file contains: # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL and IE5.0 and Keepalive
Thanks: SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown works. Where is the documentation for this? I looked around the site, at the manual and FAQs and found nothing I recognized about this. Albert Steiner At 05:44 PM 5/14/99 +0200, you wrote: >On Fri, May 14, 1999, Albert Steiner wrote: > >> [...] >> If keepalive is disabled with BrowserMatch MSIE 5.0 The problem goes away. >> But I haven't seen that this is required, nor have I seen any other >> reference to this. >> >> Is this keepalive problem a known problem? > >Yes. > >> Is this anyway to fix it without disabling keepalive on the server? > >You can try just: >SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown > >> Why does it affect https but not http? > >Don't ask me: It's a problem in MSIE AFAIK. > >> I assume this does not fail with MS ISS what do they do? > >I don't now, I've no sources for ISS. But perhaps >ISS per default does an unclean shutdown... > > Ralf S. Engelschall > [EMAIL PROTECTED] > www.engelschall.com >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- Albert Steiner Coordinator Distributed Computing Emerging Technologies Group of Academic Technologies Northwestern University, 2129 N Campus Dr., Evanston, IL 60208 [EMAIL PROTECTED] Phone 847-491-4056 FAX 847-491-3824 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL and IE5.0 and Keepalive
- Original Message - From: Ralf S. Engelschall <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 15, 1999 3:44 AM Subject: Re: ModSSL and IE5.0 and Keepalive > On Fri, May 14, 1999, Albert Steiner wrote: > > > [...] > > If keepalive is disabled with BrowserMatch MSIE 5.0 The problem goes away. > > But I haven't seen that this is required, nor have I seen any other > > reference to this. > > > > Why does it affect https but not http? > > Don't ask me: It's a problem in MSIE AFAIK. > IE5 and mod_ssl work fine for me with keepalive... sounds like a problem with the server setup. Have you tried other browsers? -Simon Garner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL and IE5.0 and Keepalive
On Fri, May 14, 1999, Albert Steiner wrote: > [...] > If keepalive is disabled with BrowserMatch MSIE 5.0 The problem goes away. > But I haven't seen that this is required, nor have I seen any other > reference to this. > > Is this keepalive problem a known problem? Yes. > Is this anyway to fix it without disabling keepalive on the server? You can try just: SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown > Why does it affect https but not http? Don't ask me: It's a problem in MSIE AFAIK. > I assume this does not fail with MS ISS what do they do? I don't now, I've no sources for ISS. But perhaps ISS per default does an unclean shutdown... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
