httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r966055 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
Date Wed, 21 Jul 2010 09:58:10 GMT
On 21.07.2010 01:33, gstein@apache.org wrote:
> Author: gstein
> Date: Tue Jul 20 23:33:18 2010
> New Revision: 966055
>
> URL: http://svn.apache.org/viewvc?rev=966055&view=rev
> Log:
> Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released
> for this problem quite a while back (see kb 921090), so restrict the
> modified behavior to the old/unsupported browsers.
>
> * docs/conf/extra/http-ssl.conf.in:
>    (): tighten up the regex to only select old MSIE browsers for the
>      downgrade in http behavior. this allows IE6 to run much faster.
>
> Modified:
>      httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>
> Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=966055&r1=966054&r2=966055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
> +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Tue Jul 20 23:33:18 2010
> @@ -218,7 +218,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/
>   #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
>   #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
>   #   "force-response-1.0" for this.
> -BrowserMatch ".*MSIE.*" \
> +BrowserMatch ".*MSIE [1-5].*" \
>            nokeepalive ssl-unclean-shutdown \
>            downgrade-1.0 force-response-1.0

There was a discussion[1,2] at some ApacheCon about improving defaults 
for this BrowserMatch (and for SSLCipherSuite). The discussion ended 
with the suggestion:

BrowserMatch "MSIE" ssl-unclean-shutdown
BrowserMatch "MSIE [2-5]" nokeepalive downgrade-1.0 force-response-1.0

So should we keep "ssl-unclean-shutdown" for all MSIE versions?

Regards,

Rainer

[1] http://marc.info/?t=125754163900002&r=1&w=2
[2] http://marc.info/?t=125754970200003&r=1&w=2

Mime
View raw message