httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Date Sat, 07 Nov 2009 10:24:03 GMT
On Saturday 07 November 2009, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
> > > -BrowserMatch ".*MSIE.*" \
> > > -         nokeepalive ssl-unclean-shutdown \
> > > -         downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > > +                          downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> > >
> > >  #   Per-Server Logging:
> > >  #   The home of a custom SSL log file. Use this when you want
> > > a
> >
> > Do we really know that IE >= 6 do not need these additional
> > options any longer?
> 
> The bug about SSL renegotiation got fixed in one of the IE 6
>  earlier versions, so some of the very very old versions of IE 6
>  won't work, but the market share of these versions if effectively
>  0%.
> 
> If you google for it you'll find some people recommending the use
>  of the above configuration, and I've been using it on various
>  sites since a few years without any problems.
> 
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS
>  server.

Shouldn't you use something like this?

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
                          downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown


There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will happen 
in the not too distant future.

BTW, I am not so sure that MSIE 6 works reliably with keepalive in all 
situations (e.g. with proxys, plugins, etc.). Therefore I would 
actually prefer [2-6] and [17-9].

Cheers,
Stefan

Mime
View raw message