httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: SSL enabled -> nokeepalive in MSIE for non-SSL connections
Date Tue, 22 Nov 2005 13:55:29 GMT
Here is a more complete description of the problem, aligned with my latest 

As the situation is very fuzzy, do not hesitate to answer if you found 
additional info.

General Apache configuration to reproduce the problem:

<VirtualHost _default_:443>

    SSLVerifyClient none

    <Location /subdir/>

        SSLVerifyClient require



Actions to reproduce the original problem:

- go to https://myserver/index.html

- go to https://myserver/subdir/post.html (a page that posts some data)

- wait at least 1 min. before clicking to post the data

Different flavours of IE 6/SSL:

Regarding SSL handling, we have several flavours of IE 6.

I'll give a time-sorted list, with totally "proprietary" naming convention 
referring to bugs descriptions below:

- flavour 1: containing bug 1 & 2

- flavour 2: containing bug 1, but not 2

- flavour 3: containing nor bug 1, neither 2 - incompatible with bug 1 

- flavour 4: containing nor bug 1, neither 2, but compatible with 
work-around for bug 1

Bugs descriptions:

1. If you don't use the 'ssl-unclean-shutdown' directive, some old versions 
of IE 6 (flavours 1 & 2) cannot connect to 
'https://myserver/subdir/post.html' because of an incompatibility with SSL 
standard in the re-negociation mechanism.

This is the same problem as with IE 4 & 5.

If you use the directive, these versions can connect correctly but some 
newer versions (flavour 3) cannot connect.

2. If you don't use the 'nokeepalive' directive, some old versions of IE 6 
(flavour 1) loose their form data if waiting too long (sometimes more than 
15 s) before submitting it (see MS KB 831167).

If you use the directive, it works correctly, also with all other versions 
of IE.

Instead of this directive, we can also extend the keep-alive interval to 
more than 1 min.

When to use the directives ?

It seems a good practice to disable keep-alive for all IE browsers, even if 
some support it correctly, although I'm not sure about the performance 
impact. Shouldn't we instead increase the keep-alive interval ? Are there 
some other problems with keep-alive ?

For the 'ssl-unclean-shutdown', there are only 2 possibilities, as there is 
no way (at least none I'm aware of) of distinguishing between IE 6 flavours:

1. always use it for all IE versions: SetEnvIf User-Agent ".*MSIE.*" 

This will work with most of versions of IE, except flavour 3.

As flavour 3 is post-SP2, I expect most of these browsers to be updated with 
Windows Update - or at least I could request my clients to do it

2. use it only for IE 4/5: SetEnvIf User-Agent ".*MSIE. [45]*" 

This will work with all versions of IE, but not with flavour 1 & 2.

As flavour 1/2 is pret-SP2, there may be a big number of machines still at 
this level, especially in companies.

As you can see, no solution is totally perfect, but the first one may be 

Btw, I did not try with IE 7, but I expect it to not have bug 1, and to 
correctly support SSL re-negociation, so we should use:

SetEnvIf User-Agent ".*MSIE [456].*" ssl-unclean-shutdown nokeepalive


View raw message