[imp] Problems sending messages using IE
Lord Apollyon
implist at paypc.com
Tue Sep 21 18:17:00 PDT 2004
> The problem, as I said above only occured when the user agent was IE. If
> a user took longer than 30 seconds to compose a message, when they hit
> the send button, they would receive a “Page cannot be diaplayed” error.
> The other conditon is that it must be an SSL encrypted connection..
> This error is caused by a design quirk that is only exhibited in IE when
> the SSL protocol negotiated and chosen is 3.0. The workaround is to
> either disable SSL v3 in the browser or disable it on the server.
Actually, it's alot more complex than that.
Please see: <http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie> for a
thorough description of the problem.
I've been running my ssl-based webmail service for several years now with
the follow mod_ssl directives in effect:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
The first config line deals with some non-conforming SSL behaviour most
versions of IE are prone to.
The second line disables a SPECIFIC SSLv3 cipher which is known to be
broken on most IE5 versions. Note, it doesn't disable ALL of the SSLv3
(this is bad), just the specific problem 56-bit "EXPORT" ciphers.
This requires no client-side alteration of the ciphers or protocols, and it
allows non-broken browsers to use the best ciphers possible.
Pay particular attention to the following:
And finally there are versions of MSIE which seem to require that an SSL
session can be reused (a totally non standard-conforming behaviour, of
course). Connection with those MSIE versions only work if a SSL session
cache is used. So, as a work-around, make sure you are using a session
cache (see SSLSessionCache directive).
=R=
More information about the imp
mailing list