httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lars Eilebrecht" <l...@eilebrecht.net>
Subject Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Date Sat, 07 Nov 2009 01:21:45 GMT
Ruediger Pluem wrote on 2009-11-07 00:29:41:

> > -BrowserMatch ".*MSIE.*" \
> > -         nokeepalive ssl-unclean-shutdown \
> > -         downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > +                          downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> >
> >  #   Per-Server Logging:
> >  #   The home of a custom SSL log file. Use this when you want a  
> 
> Do we really know that IE >= 6 do not need these additional options
> any longer?

The bug about SSL renegotiation got fixed in one of the IE 6 earlier
versions, so some of the very very old versions of IE 6 won't work, but
the market share of these versions if effectively 0%.

If you google for it you'll find some people recommending the use of
the above configuration, and I've been using it on various sites since
a few years without any problems.

The main issue with our previous config is that we are disabling
keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.

cheers...
-- 
Lars Eilebrecht
lars@eilebrecht.net


Mime
View raw message