mPulse

Tuesday, June 5, 2007

Dear Apache Software Foundation: FIX THE MSIE SSL KEEPALIVE SETTINGS!

Dear Apache Software Foundation, and the developers of the Apache Web server:

I would like to thank you for developing a great product. I rely on it daily to host my own sites, and a large number of people on the Internet seem to share my love of this software.

However, it appears that you seem to want to maintain a simple flaw in your logic that continues to make me crazy. I am a Web performance analyst, and at least once a week I sigh, and shake my head whenever I stoop to use Microsoft Internet Explorer (MSIE) to visit secure sites.

I seems that in your SSL configurations, you continue to assume that ALL versions of MSIE can't handle persistent connections under SSL/TLS.

Is this true? Is a bug initially caught in MSIE 5.x (5.0??) still valid for MSIE 6.0/7.0?

The short answer is: I don't know.

It seems that no one in the Apache server team has bothered to go back and see if the current versions of MSIE -- we are trying to track down the last three people use MSIE 5.x and help them -- still share this problem.

In the meantime, can you change your SSL exclusion RegEx to something more, relevant for 2007?

Current RegEx:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive
ssl-unclean-shutdown
downgrade-1.0 force-response-1.0


Relvant, updated REGEX:

SetEnvIf User-Agent ".*MSIE [1-5].*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

SetEnvIf User-Agent ".*MSIE [6-9].*"
ssl-unclean-shutdown


Please? PLEASE? It's so easy...and would solve so many performance problems...

Please?

Thank you.

Tags: , , , , , ,

17 comments:

  1. hey steve,you should file a bug about it.personally I can't verify it as I don't run windows. but in general the httpd project is more conservative than performance focused.

    ReplyDelete
  2. hey steve,
    you should file a bug about it.

    personally I can't verify it as I don't run windows. but in general the httpd project is more conservative than performance focused.

    ReplyDelete
  3. [...] http://crazycanuck.org/2007/06/06/dear-apache-software-foundation-fix-the-msie-ssl-keepalive-setting... [...]

    ReplyDelete
  4. YEAHHHHHHHHH this is plain stupid and old age! Someone needs to look at this now!

    ReplyDelete
  5. Sadly, it seems even IE7 can't do things properly - we'll have to keep going with nokeepalive even longer.Here is a text tracking down AJAX issues in IE7 to keepalive: http://qfox.nl/notes?1

    ReplyDelete
  6. I'm glad to see you exclude nokeepalive. With a setup including an OCSP responder, that nokeepalive flag kills us with multiple pki cert validation requests per page load.

    ReplyDelete
  7. I'm glad to see you exclude nokeepalive. With a setup including an OCSP responder, that nokeepalive flag kills us with multiple pki cert validation requests per page load.

    ReplyDelete
  8. Fixed in http://svn.apache.org/viewvc?view=revision&revi...It should come out in the next 2.3.x release, and (should) be backported to 2.2.x soon.Delayed? Yeah. It took somebody to point out this blog post. I hadn't heard of the issue (logged in our tracker as #49484).

    ReplyDelete
  9. For all us in Web performance, I thank you!smp

    ReplyDelete
  10. I'm a bit surprised that the Apache software foundation would make these changes on an article that the author admits he doesn't know if the problem exists.

    ReplyDelete
  11. It looks like the regex for your fix will break for IE10.0

    221 BrowserMatch ".*MSIE [1-5].*"
    222 nokeepalive ssl-unclean-shutdown
    223 downgrade-1.0 force-response-1.0

    ReplyDelete
  12. [...] years ago, there was a public call to update the guidance to reflect the fact that users of more modern browsers were paying an [...]

    ReplyDelete
  13. Try this on Rejex validator (http://rejex.heroku.com) and it should pass for particular version of IE, especially verion 6:

    #Beware of backward slash plus double dots
    BrowserMatch ".*MSIE [2-5]\..*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    #IE6 or above should work fine in responding HTTP/1.1 directly
    BrowserMatch ".*MSIE [6-9]\..*" ssl-unclean-shutdown

    ReplyDelete
  14. no, 6 has the downgrade issue also
    BrowserMatch "MSIE [4-6]" nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown

    That stops attempting the work around in version 10... but is that asking too much?

    ReplyDelete
  15. BrowserMatch ".*MSIE ([6-9]|[0-9]{2}).*" ssl-unclean-shutdown

    Should fix the IE10.x (and more) issue. It should be valid until IE99 ...

    ReplyDelete