Discussion:
MSIE nokeepalive ssl-unclean-shutdown - directive causes slow responses
(too old to reply)
jibbajibba
2006-11-09 10:13:01 UTC
Permalink
Hi,

We have set up a site running ssl on apache2.0 linking to Tomcat.
Users with IE were getting occassional TCP 'page not found errors'. We
identified this as a known issue with IE and SSL and implemented this
directive

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Since then users on distant parts of our network are seeing response
times doubled or trippled. We think that this is becuase there needs to
be a new SSL handshake for each get request.

So my question is ... is there an alternative way to resolve the TCP
errors we are seeing without causing the slow responses?

A choice between slow response and intermittent page not found errors
isn't one I want to make if there is an alternative.
HansH
2006-11-09 15:00:08 UTC
Permalink
Post by jibbajibba
Hi,
We have set up a site running ssl on apache2.0 linking to Tomcat.
Users with IE were getting occassional TCP 'page not found errors'. We
identified this as a known issue with IE and SSL and implemented this
directive
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Aka http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#msie reading
'The first reason is that the SSL implementation in some MSIE versions has
some subtle bugs related to the HTTP keep-alive facility and the SSL close
notify alerts on socket connection close.'

More MSIE related troubles are discriped there too:
- ... 56bit export versions of MSIE 5.x browsers have a broken SSLv3
implementation
- ... versions of MSIE which seem to require that an SSL session can be
reused
Post by jibbajibba
Since then users on distant parts of our network are seeing response
times doubled or trippled. We think that this is becuase there needs to
be a new SSL handshake for each get request.
So my question is ... is there an alternative way to resolve the TCP
errors we are seeing without causing the slow responses?
Plausible. Do specify 'distant parts of our network'.
Is response increasing from subsecond to still below 2s, or worse?
Post by jibbajibba
A choice between slow response and intermittent page not found errors
isn't one I want to make if there is an alternative.
Got your point ...

Just a wild guess ... maybe [one of] the below [hotfixes] apply
http://support.microsoft.com/kb/305217
http://support.microsoft.com/kb/831167
http://support.microsoft.com/kb/821814/

The letter discribes a problem with ssl version 3 mentioned at
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#msie too, so perhaps
either of
SSLProtocol all -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
might be your magic line.

Good luck,

HansH
Renzo Zagni
2006-11-09 18:22:03 UTC
Permalink
Try replacing your SetEnvIf ..MS.. for

BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown

RZ
Post by HansH
Post by jibbajibba
Hi,
We have set up a site running ssl on apache2.0 linking to Tomcat.
Users with IE were getting occassional TCP 'page not found errors'. We
identified this as a known issue with IE and SSL and implemented this
directive
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Aka http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#msie reading
'The first reason is that the SSL implementation in some MSIE versions has
some subtle bugs related to the HTTP keep-alive facility and the SSL close
notify alerts on socket connection close.'
- ... 56bit export versions of MSIE 5.x browsers have a broken SSLv3
implementation
- ... versions of MSIE which seem to require that an SSL session can be
reused
Post by jibbajibba
Since then users on distant parts of our network are seeing response
times doubled or trippled. We think that this is becuase there needs to
be a new SSL handshake for each get request.
So my question is ... is there an alternative way to resolve the TCP
errors we are seeing without causing the slow responses?
Plausible. Do specify 'distant parts of our network'.
Is response increasing from subsecond to still below 2s, or worse?
Post by jibbajibba
A choice between slow response and intermittent page not found errors
isn't one I want to make if there is an alternative.
Got your point ...
Just a wild guess ... maybe [one of] the below [hotfixes] apply
http://support.microsoft.com/kb/305217
http://support.microsoft.com/kb/831167
http://support.microsoft.com/kb/821814/
The letter discribes a problem with ssl version 3 mentioned at
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#msie too, so perhaps
either of
SSLProtocol all -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
might be your magic line.
Good luck,
HansH
Loading...