httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Date Sat, 07 Nov 2009 09:09:26 GMT


On 11/07/2009 02:21 AM, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
> 
>>> -BrowserMatch ".*MSIE.*" \
>>> -         nokeepalive ssl-unclean-shutdown \
>>> -         downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
>>> +                          downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
>>>
>>>  #   Per-Server Logging:
>>>  #   The home of a custom SSL log file. Use this when you want a  
>> Do we really know that IE >= 6 do not need these additional options
>> any longer?
> 
> The bug about SSL renegotiation got fixed in one of the IE 6 earlier
> versions, so some of the very very old versions of IE 6 won't work, but
> the market share of these versions if effectively 0%.
> 
> If you google for it you'll find some people recommending the use of
> the above configuration, and I've been using it on various sites since
> a few years without any problems.
> 
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.

Yeah, I know and this is a real PITA that has bothered me for years,
but I just wanted to be sure that this is fixed in recent IE 6 and up.
So many thanks for your investigations.

Regards

RĂ¼diger


Mime
View raw message