IE and client verification problem
am 03.11.2002 16:52:32 von MarcinHi,
I'm experiencing weird problems with MSIE clients accessing pages on a
Apache 1.3.26+mod_ssl-2.8.9
server (Debian Woody with current updates) with client verification turned
on.
I created and signed CA certificate, then created and signed server and
several clients' certificates.
On every client workstation, I imported the proper client certificate into
MSIE.
In Apache config I enabled mod_ssl and set "verify client required" for
Document Root directory,
and put the "magic" SetEnviF stuff (unclean-shutdown, downgrade-1.0 and so
on) as recommended in FAQ.
Everything seemed to work just fine, but users started report absence of
some pages' elements.
Further investigation showed, that for some unknown reasons, the MSIE
doesn't load all of the page
components.
I've created simply test.html:
(some more repetition of above line)
put it into DocumentRoot and requested it from the MSIE. Randomly choosen
pictures did not come up, and
MSIE showed well-known red X sign for them. Then I refreshed the page, and
some of the pictures became
visible, but the other were replaced with X sign. I restarted the browser,
then the workstation, then tried it
on another couple of workstations with no success.
I've following statements so far:
* the problem exists in all version of MSIE I've installed:
Win95+IE 5.5 SP2;
Win98+IE 6.0, Win98+IE 6.0 SP1;
WinXP+IE 6.0, WinXP+IE 6.0 SP1;
EXCEPT W2000+IE6.0, which works just perfect
* on WinXP IE often crashed completely (kindly offering to send a report to
MS for analysis)
* I could reproduce the problem on another Debian machine, and also on
full-patched RedHat 7.0
* turning off the client verification in mod_ssl solves the problem
completely (but I can't do this)
* slowing the link (with CBQ) to as low as 64kbps also solves the problem
(got to throw away all 100Mbit cards ;)))
* inserting stunnel between MSIE and Apache, either at the Apache side
(turning of mod_ssl) or at the workstation side
(no https in MSIE) solves the problem
* and last, but not least, Mozilla and Opera works perfect (tell me why I'm
not surprised?)
Did any of you observe anything similar to this? I searched the mailing list
archive, news groups,
but found near nothing. I also tried to play with SetEnvIf directive, and
turning off the downgrade
compatibility options clearly helped some WinXP+IE 6.0 SP1 workstations, but
made things worse
on rest of them.
Thanks for your time,
--
Marcin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org