intermittent IE problem

Hi all,

system: Solaris 7 sparc
Apache: 1.3.27
ModSSL: 2.8.12
OpenSSL: 0.9.7a

Is anyone else experiencing any difficulty with IE5.x and the latest
apache/mod_ssl ? My current live system is Apache/1.3.26 ModSSL/2.8.10
OpenSSL 0.9.6e-engine. I'm using an Ncipher SSL accelerator with chil
engine. All is working fine.

I have the User-Agent ".*MSIE.*" work around in place.
I have a SSLSessionCache and my SSLSessionCacheTimeout is 300.

When I upgrade to the newest componants I get intermittent IE "Page cannot
be displayed" problems. I've been sniffing the connection, but I have not
been able to identify the problem yet. It doesn't seem to occur on an
initial connection, when IE sends the hello using SSLv2, but on subsequent
connections when IE has the certificate and uses SSLv3 for the hello.

The Initial connection always seems to work:

Client -> server SSLv2 Client Hello
Server -> client SSLv3 Server Hello, Certificate
Client -> server SSLv3 Client key exchange, Change cipher, handshake
Server -> client SSLv3 Change cipher, handshake
Server <> client SSLv3 Data

However following connections may fail:

Client -> server SSLv3 Client Hello
Server -> client SSLv3 Server Hello, Change cipher, handshake

At this point either:
IE closes the connection.
OR:
The handshake continues.

Client -> server SSLv3 Change cipher, handshake
Server <> client SSLv3 Data

Any ideas anyone ??
Thanks in advance,

Mark
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: intermittent IE problem

Sorry I forgot to mention that I am also getting the following in the
ssl_engine log when IE disconnects:

[04/Mar/2003 15:00:16 04121] [info] Connection to child 6 established
(server admin.netbanx.com:443, client 10.10.10.10)
[04/Mar/2003 15:00:16 04121] [info] Seeding PRNG with 1160 bytes of
entropy
[04/Mar/2003 15:00:16 04121] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]

As you can see there are no errors apart from the handshake interrupt
caused by IE disconnecting from the server.

I think this issue may be something to do with the SSLSessionCache. If I
connect to the server and restart IE multiple times I get the page cannot
be displayed error within a few minutes. I'm using dbm for my cache, I'll
try switching to shm to see if that improves the situation.

Cheers,

Mark
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: intermittent IE problem

Fwiw, I'm getting nearly identical symptoms as well. After an
indeterminate amount of time, SSL requests to the server seem to hang
indefinitely. The problem appears to temporarily clear itself for a
short time.

IE seems to trigger it frequently, but another person here has seen it
with Mozilla.

We've been using shm for our session cache.

Setting MaxRequestsPerChild to something low seems to have eased
things significantly, but not resolved them entirely.

Restarting the server clears the problem completely... for a little
while.

I've run with max SSL debugging and trussed the servers, but nothing
useful was logged... but, then again, I'm not sure what I'd be looking
for, and we can't trigger the symptoms at will.

Details:

solaris 2.8, apache 1.3.27, openssl 0.97a, mod_ssl-2.8.12-1.3.27

We've turned off keepalive and set ssl-unclean-shutdown for both MSIE
and Mozilla, set downgrade-1.0 and forceresponse-1.0 for MSIE, and are
running with the default SSLCipherSuite, except that Export56 is
disabled.


Thanks.

-- jeff







On Tue, Mar 04, 2003 at 04:03:32PM +0000, Mark Boddington wrote:
>
> Sorry I forgot to mention that I am also getting the following in the
> ssl_engine log when IE disconnects:
>
> [04/Mar/2003 15:00:16 04121] [info] Connection to child 6 established
> (server admin.netbanx.com:443, client 10.10.10.10)
> [04/Mar/2003 15:00:16 04121] [info] Seeding PRNG with 1160 bytes of
> entropy
> [04/Mar/2003 15:00:16 04121] [info] Spurious SSL handshake
> interrupt[Hint: Usually just one of those OpenSSL confusions!?]
>
> As you can see there are no errors apart from the handshake interrupt
> caused by IE disconnecting from the server.
>
> I think this issue may be something to do with the SSLSessionCache. If I
> connect to the server and restart IE multiple times I get the page cannot
> be displayed error within a few minutes. I'm using dbm for my cache, I'll
> try switching to shm to see if that improves the situation.
>
> Cheers,
>
> Mark
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: intermittent IE problem

* jgelb (jgelb@pearsoncmg.com) wrote:

[snip]

> We've been using shm for our session cache.

Which one? shmht or shmcb?

Cheers,
Geoff

--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: intermittent IE problem

smhcb

We've also done both file and sempahore based mutexes.

--jeff

On Tue, Mar 04, 2003 at 11:51:34AM -0500, Geoff Thorpe wrote:
> * jgelb (jgelb@pearsoncmg.com) wrote:
>
> [snip]
>
> > We've been using shm for our session cache.
>
> Which one? shmht or shmcb?
>
> Cheers,
> Geoff
>
> --
> Geoff Thorpe
> geoff@geoffthorpe.net
> http://www.geoffthorpe.net/
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

more info Re: intermittent IE problem,

Some more info:

Looking more closely as ssl logs, I think I'm seeing the following
behavior during our freezes:

[06/Mar/2003 10:32:43 24491] [trace] OpenSSL: Loop: before/accept
initialization
[06/Mar/2003 10:37:23 24443] [debug] OpenSSL: I/O error, 5 bytes
expected to read on BIO#001C4278 [mem: 00288B30]

The server is completely unresponsive until after the I/O error is
logged. Sometimes that's right away, other times it's 5 minutes, per
above.

On the subject of logging, I'm occassionally seeing something like:
[06/Mar/2003 11:03:42 24782] [debug] OpenSSL: read 788/34821 bytes
from BIO#001783D0 [mem: 0021DF50] (BIO dump follows)

Is the "short" read really a short read, or just the debugging system
logging something before the read is complete?

Thanks for any and all info.

-- jeff gelb



On Tue, Mar 04, 2003 at 11:44:12AM -0500, jgelb wrote:
>
> Fwiw, I'm getting nearly identical symptoms as well. After an
> indeterminate amount of time, SSL requests to the server seem to hang
> indefinitely. The problem appears to temporarily clear itself for a
> short time.
>

> -- jeff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org