Enhydra / Apache / SSL / Internet Explorer Problem

Hi All

Having a serious problem when trying to use SSL and Internet Explorer. Our
server
is running Enhydra, Apache and Mod SSL.

The problem occurs when we try and connect to our site via SSL (HTTPS).

When running our site though HTTPS, when pressing submit buttons or links
that post to the server, after maybe 2 or 3 times we get the following
warning message box.

"Downloading non-secure content from a secure web (yes, no, more info
buttons)"

if Yes is pressed we receive a "The page cannot be displayed" page.

if No is pressed we receive a blank white page with "NavigationCancelled" on
the top left hand corner.

Also when this occurs the browser doesnt even seem to connect to the server,
and a quick tap of the Back and Forward buttons on the browser usually means
the post hits the
server and normal service is resumed for a while

This error happens intermittantly, with no dissernable pattern
e.g. sometimes it will take 5 or 6 posts to appear, other times it will
happen after 1 or 2, and can happen on any of the pages that post
back to the server.

This error only appears on Internet Explorer, not on Netscape.

This error can be worked around client side by either unchecking the ...

"show friendly HTTP error messages" (Tools | Internet Options | Browsing
section)
or by unchecking the "Use SSL 3.0" (Tools | Internet Options | Security
section)

....but this is an unacceptable solution for my boss =(.


To cure this problem we have tried several things already on the server side
including adding these lines to our HTTPD.conf file for Apache
(using ModSSL with Enhydra \ apache)...

- Setting the SSL Cache variable higher

SSLSessionCache(512000)

- switching off SSLv3 in the server config

SSLProtocol all -SSLv3

- Detecting when a MSIE connects to the server and removing the "keep alive"
command for this instance

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0


- Tried specifiying which cipher encryption to use to work around the known
export 56k IE bug

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP


Below is a list of packages that are relevant to our system and version
numbers for our live server.

REDHAT 6.2.1
KERNEL 2.2.19-6.2.12
APACHE 1.3.9
MOD_SSL 2.4.5
POSTGRES 6.5-3.6
LDAP 1.2.12
OPENSSL 0.9.4
IMAP 2000c-1.6.1
ENHYDRA 3.1
JAVA 1.3

Also below is a list of the same packages and version numbers from our local
development server.

REDHAT 7.0
KERNEL 2.2.17-14smp
APACHE 1.3.14-3
MOD_SSL 2.7.1
POSTGRES 7.0.2-17
LDAP 1.2.11
OPENSSL 0.9.5a
IMAP 4.5-4
ENHYDRA 3.1
JAVA 1.3

I am very quickly running out of solutions to try to cure this problem so
any new ideas \ solutions would be very greatly appreciatted =)

Cheers

Nigel Croston


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org