Dear Apache Software Foundation: FIX THE MSIE SSL KEEPALIVE SETTINGS!
Dear Apache Software Foundation, and the developers of the Apache Web server:
I would like to thank you for developing a great product. I rely on it daily to host my own sites, and a large number of people on the Internet seem to share my love of this software.
However, it appears that you seem to want to maintain a simple flaw in your logic that continues to make me crazy. I am a Web performance analyst, and at least once a week I sigh, and shake my head whenever I stoop to use Microsoft Internet Explorer (MSIE) to visit secure sites.
I seems that in your SSL configurations, you continue to assume that ALL versions of MSIE can’t handle persistent connections under SSL/TLS.
Is this true? Is a bug initially caught in MSIE 5.x (5.0??) still valid for MSIE 6.0/7.0?
The short answer is: I don’t know.
It seems that no one in the Apache server team has bothered to go back and see if the current versions of MSIE — we are trying to track down the last three people use MSIE 5.x and help them — still share this problem.
In the meantime, can you change your SSL exclusion RegEx to something more, relevant for 2007?
Current RegEx:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
Relvant, updated REGEX:
SetEnvIf User-Agent ".*MSIE [1-5].*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0SetEnvIf User-Agent ".*MSIE [6-9].*" ssl-unclean-shutdown
Please? PLEASE? It’s so easy…and would solve so many performance problems…
Please?
Thank you.
Tags: Apache, SSL, TLS, MSIE, persistent connections, keepalive, web performance



hey steve,
you should file a bug about it.
personally I can’t verify it as I don’t run windows. but in general the httpd project is more conservative than performance focused.
ian holsman
June 14 2007 at 11:14
hey steve,you should file a bug about it.personally I can’t verify it as I don’t run windows. but in general the httpd project is more conservative than performance focused.
ian holsman
June 14 2007 at 11:14
[...] http://crazycanuck.org/2007/06/06/dear-apache-software-foundation-fix-the-msie-ssl-keepalive-setting... [...]
Giant Geek Blog » Blog Archive » MSIE’s flawed SSL implementation
July 10 2007 at 19:58
This change fixed a problem we had after a patch update to apache resulted in IE clients not being able to access one of our enterprise Java apps over SSL through an ISA firewall.
The error seen in the ISA logs was:
Error Code: 500 Internal Server error. The context has expired and can no longer be used. (-2146893033)
By changing ssl.conf to only specify ssl-unclean-shutdown for MSIE 6+, the IE clients were able to use the application without errors.
bwg
November 15 2007 at 22:42
This change fixed a problem we had after a patch update to apache resulted in IE clients not being able to access one of our enterprise Java apps over SSL through an ISA firewall.The error seen in the ISA logs was:Error Code: 500 Internal Server error. The context has expired and can no longer be used. (-2146893033)By changing ssl.conf to only specify ssl-unclean-shutdown for MSIE 6+, the IE clients were able to use the application without errors.
bwg
November 15 2007 at 22:42
YEAHHHHHHHHH this is plain stupid and old age! Someone needs to look at this now!
Anonymous
August 13 2008 at 16:09
Sadly, it seems even IE7 can't do things properly – we'll have to keep going with nokeepalive even longer.Here is a text tracking down AJAX issues in IE7 to keepalive: http://qfox.nl/notes?1
Andreas Lange
September 30 2008 at 09:02
I'm glad to see you exclude nokeepalive. With a setup including an OCSP responder, that nokeepalive flag kills us with multiple pki cert validation requests per page load.
Scooter Hanson
April 28 2009 at 08:08
[...] IE SSL Closure FIX Apache For IE [...]
Less Requirement » Blog Archive » Apach SSL is slow, or IE SSL is slow?
April 28 2009 at 18:08
I'm glad to see you exclude nokeepalive. With a setup including an OCSP responder, that nokeepalive flag kills us with multiple pki cert validation requests per page load.
Scooter Hanson
April 28 2009 at 14:08
I totally agree with you that the developers of the Apache Web server creates a great product despite of the fact that sometimes it makes some small mistakes like you mentioned. I hope that it would never happen again in the future. Well I have to find out if they have fixed this problem. Btw thanks for the interesting post!Sincerely, Craig Barteson from software application development
PatrickN
October 22 2009 at 22:47
Fixed in http://svn.apache.org/viewvc?view=revision&revi…It should come out in the next 2.3.x release, and (should) be backported to 2.2.x soon.Delayed? Yeah. It took somebody to point out this blog post. I hadn't heard of the issue (logged in our tracker as #49484).
Your Name
July 20 2010 at 23:51
It looks like the regex for your fix will break for IE10.0
221 BrowserMatch “.*MSIE [1-5].*”
222 nokeepalive ssl-unclean-shutdown
223 downgrade-1.0 force-response-1.0
Ken
December 14 2010 at 23:46
For all us in Web performance, I thank you!smp
Stephen Pierzchala
July 21 2010 at 03:25
I’m a bit surprised that the Apache software foundation would make these changes on an article that the author admits he doesn’t know if the problem exists.
Joel
November 22 2010 at 17:22
[...] years ago, there was a public call to update the guidance to reflect the fact that users of more modern browsers were paying an [...]
HTTPS and Keep-Alive Connections - MSDN Blogs
March 26 2011 at 21:01
[...] It seems like one of the applications rolled-out on their latest release either contained a bug, miss-configuration, or unintended feature – which disable HTTP 1.1 for User Agents containing “MSIE” string. The issue was due to an old Apache configuration which forced HTTP 1.0 and No Keep Alive for browser… [...]
Relying on Web Performance Monitoring to Discover Release Problems | Catchpoint Blog on Web Performance Monitoring
March 28 2011 at 22:37
[...] Dear Apache Software Foundation: FIX THE MSIE SSL KEEPALIVE SETTINGS! [...]
IEからApacheへSSL通信をすると重くなる処理を改善する | Classmethod.dev('beta')
November 2 2011 at 09:20
Try this on Rejex validator (http://rejex.heroku.com) and it should pass for particular version of IE, especially verion 6:
#Beware of backward slash plus double dots
BrowserMatch “.*MSIE [2-5]\..*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#IE6 or above should work fine in responding HTTP/1.1 directly
BrowserMatch “.*MSIE [6-9]\..*” ssl-unclean-shutdown
Kenneth
November 15 2011 at 01:58