You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Axel-Stéphane SMORGRAV <Ax...@europe.adp.com> on 2004/11/02 08:26:07 UTC

[users@httpd] RE : Apache/mod_ssl/IE problem

Just a shot in the dark.

Try to add this to your configuration if you haven't already. Make sure you have mod_setenvif loaded.

   BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0

-ascs

-----Message d'origine-----
De : d.j.potts@bcs.org.uk [mailto:d.j.potts@bcs.org.uk] 
Envoyé : lundi 1 novembre 2004 17:57
À : users@httpd.apache.org
Objet : [users@httpd] Apache/mod_ssl/IE problem


Hello,

We have a problem with apache with the following symptoms

- the number of apache processes hits MaxClients
- the CPU on the box isn't doing much when we hit the max number of apache processes
- sometimes apache recovers after about 5 minutes and we reduce to a more typical number of processes
- other times apache has totally locked up an required a restart

We see no pattern as to when this is occuring. It has occurred during quiet periods and during periods of heavy load.

We have upped the MaxClients to 256, but we hit that level too.

All our users connect over SSL.

We have seen the following articles on the Microsoft site that makes us think that this could because of broken version of IE in our user community. However, we don't know from the articles the exact combination of OS and IE that would cause the problems and therefore haven't been able to recreate in a test environment.

http://support.microsoft.com/default.aspx?kbid=305217
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx


We also get the following error in the SSL error log:

[Tue Oct 26 06:43:04 2004] [error] mod_ssl: SSL handshake interrupted by system
[Hint: Stop button pressed in browser?!] (System error follows) [Tue Oct 26 06:43:04 2004] [error] System: Connection timed out (errno: 145)

We see this quite a lot during normal operation. However, during the periods were we hit the MaxClient processes, we see the number of these errors increase by an order of magnitude.

Has anyone else seen similar problems and if so, what was their solution? If this is the problem described on the MS site, what version of Windows and IE do we need to recreate? Are there any server side only solutions?

We are running on Solaris with apache 1.2.26 and mod_ssl 2.8.10 using a Sun Crypto 1 SSL accelerator card.

Any help greatly apprecicated.

Cheers,

Dave.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RE : Apache/mod_ssl/IE problem

Posted by d....@bcs.org.uk.
Hi,

Thanks for your reply.

We have the following BrowserMatch directives in our httpd.conf:

    <IfModule mod_setenvif.c>
        BrowserMatch "Mozilla/2" nokeepalive
        BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
        BrowserMatch "RealPlayer 4\.0" force-response-1.0
        BrowserMatch "Java/1\.0" force-response-1.0
        BrowserMatch "JDK/1\.0" force-response-1.0
    </IfModule>

We also have the following:

    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

Reading up on some other postings, I also think the following settings are of
interest:

    SSLSessionCache        shmcb:/usr/app/apache/logs/ssl_scache(512000)
    SSLSessionCacheTimeout  300

According the Apache: The Definitive Guide, "BrowserMatch" and "SetEnvIf
User-Agent" do the same thing.

Despite these we are still seeing the server hanging.  Anyone else seen this?

Cheers,

Dave..



Quoting Axel-Stéphane  SMORGRAV <Ax...@europe.adp.com>:

> Just a shot in the dark.
>
> Try to add this to your configuration if you haven't already. Make sure you
> have mod_setenvif loaded.
>
>    BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0
>
> -ascs
>
> -----Message d'origine-----
> De : d.j.potts@bcs.org.uk [mailto:d.j.potts@bcs.org.uk]
> Envoyé : lundi 1 novembre 2004 17:57
> À : users@httpd.apache.org
> Objet : [users@httpd] Apache/mod_ssl/IE problem
>
>
> Hello,
>
> We have a problem with apache with the following symptoms
>
> - the number of apache processes hits MaxClients
> - the CPU on the box isn't doing much when we hit the max number of apache
> processes
> - sometimes apache recovers after about 5 minutes and we reduce to a more
> typical number of processes
> - other times apache has totally locked up an required a restart
>
> We see no pattern as to when this is occuring. It has occurred during quiet
> periods and during periods of heavy load.
>
> We have upped the MaxClients to 256, but we hit that level too.
>
> All our users connect over SSL.
>
> We have seen the following articles on the Microsoft site that makes us think
> that this could because of broken version of IE in our user community.
> However, we don't know from the articles the exact combination of OS and IE
> that would cause the problems and therefore haven't been able to recreate in
> a test environment.
>
> http://support.microsoft.com/default.aspx?kbid=305217
> http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
>
>
> We also get the following error in the SSL error log:
>
> [Tue Oct 26 06:43:04 2004] [error] mod_ssl: SSL handshake interrupted by
> system
> [Hint: Stop button pressed in browser?!] (System error follows) [Tue Oct 26
> 06:43:04 2004] [error] System: Connection timed out (errno: 145)
>
> We see this quite a lot during normal operation. However, during the periods
> were we hit the MaxClient processes, we see the number of these errors
> increase by an order of magnitude.
>
> Has anyone else seen similar problems and if so, what was their solution? If
> this is the problem described on the MS site, what version of Windows and IE
> do we need to recreate? Are there any server side only solutions?
>
> We are running on Solaris with apache 1.2.26 and mod_ssl 2.8.10 using a Sun
> Crypto 1 SSL accelerator card.
>
> Any help greatly apprecicated.
>
> Cheers,
>
> Dave.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info. To
> unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org