IE5 SSL & Linux/Apache

IE5 SSL & Linux/Apache

Post by Dan » Sun, 08 Oct 2000 04:00:00



Not sure if I'm in the right place here!

I have a Cobalt Raq running Apache 1.3.6 and an SSL cert from Thawte. I have
a cgi shopping cart which works great until you use it through MSIE 5 (and
others versions). The secure order form loads ok but there is a "submit"
button that posts the form info to the shopping cart script. The 1st time
you hit the "submit" button it immediately goes to a "page not found" error,
but clicking back and resubmitting works fine.

Now there seems to be an issue with IE5 and SSL. I've spent a long time
looking for a solution and I've seen posts relating to incorrect
"Content-Length" in the headers but I know this WAS an issue with the cart
but one of the libraries has been updated to deal with this. The other posts
I've notice involve changing the following in the httpd.conf althoug being
new to linux I'm not sure how you'd do this:

"BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

and change it to

BrowserMatch "MSIE 5\.0;" nokeepalive downgrade-1.0 force-response-1.0

which solves the problem with IE5 ."

Can anyone shed any light on this or at least point me to the right group to
ask the question?

Thans in advance

Dan

 
 
 

IE5 SSL & Linux/Apache

Post by Grega Brem » Sun, 08 Oct 2000 04:00:00


...and Dan used the keyboard:

Quote:

>"BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

>and change it to

>BrowserMatch "MSIE 5\.0;" nokeepalive downgrade-1.0 force-response-1.0

>which solves the problem with IE5 ."

What this does is it forces Apache to use HTTP/1.0 whenever a browser
with the signature matching the above attempts to connect.

My advice to you would be to include downgrade/force-response for both
IE4.0 and 5.0, but it needn't be on plain lines - only do this in your
SSL VirtualHost definition. I even think IE4 has some option in its
"Internet Options/Advanced" tab that says "HTTP/1.0 over SSL", and
that might be the key to the problem here - perhaps HTTP/1.1
implementation is still broken in some way, even in IE5 (albeit it
does support SSL/2.0 and SSL/3.0, allegedly).

Hope it helps,
--
    Grega Bremec
    grega.bremec-at-gbsoft.org
    http://www.gbsoft.org/

 
 
 

IE5 SSL & Linux/Apache

Post by Dan » Sun, 08 Oct 2000 04:00:00


Great!! I knocked off the use HTTP 1.1 in the advanced settings on IE5 and
and it works all the time - this has been a major bugbear and for many
others using this cart! Now I have limited experience with Linux, I can
telnet in and do very simple things but how do I downgrade/force response -
is it difficult?

Many, many thanks for that!

Dan

Quote:> ...and Dan used the keyboard:

> >"BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

> >and change it to

> >BrowserMatch "MSIE 5\.0;" nokeepalive downgrade-1.0 force-response-1.0

> >which solves the problem with IE5 ."

> What this does is it forces Apache to use HTTP/1.0 whenever a browser
> with the signature matching the above attempts to connect.

> My advice to you would be to include downgrade/force-response for both
> IE4.0 and 5.0, but it needn't be on plain lines - only do this in your
> SSL VirtualHost definition. I even think IE4 has some option in its
> "Internet Options/Advanced" tab that says "HTTP/1.0 over SSL", and
> that might be the key to the problem here - perhaps HTTP/1.1
> implementation is still broken in some way, even in IE5 (albeit it
> does support SSL/2.0 and SSL/3.0, allegedly).

> Hope it helps,
> --
>     Grega Bremec
>     grega.bremec-at-gbsoft.org
>     http://www.gbsoft.org/

 
 
 

IE5 SSL & Linux/Apache

Post by Joe Schaefe » Sun, 08 Oct 2000 04:00:00



> Great!! I knocked off the use HTTP 1.1 in the advanced settings on IE5 and
> and it works all the time - this has been a major bugbear and for many
> others using this cart! Now I have limited experience with Linux, I can
> telnet in and do very simple things but how do I downgrade/force response -
> is it difficult?

[...]

This problem doesn't have anything to do with your cart software-
it's mod_ssl's strict implementation of the SSL specs that causes trouble
with MSIE[45].  Basically what I think happens is that mod_ssl sends
additional information to the browser at the moment the SSL conection has
closed, but *before* the keepalive connection has closed ( See
http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie ).
This extra data is handled correctly by NS, but MSIE thinks it's part of
a subsequent response over the keepalive connection and pukes on your next
request.  IIRC if you wait long enough, the keepalive connection will
time out and MSIE won't get confused by this extra data.

I'd fix it this way- change the beginning of your SSL VirtualHost
(as in httpd.conf) to something like this:

[...]

<VirtualHost my.secure.server:443>
        SSLEngine       on
        BrowserMatch MSIE ssl-unclean-shutdown nokeepalive \
                          downgrade-1.0 force-response-1.0
[...]

I don't know what Cobalt provides in terms of UI for apache config files,
but I recommend you edit httpd.conf by hand, and read the apache docs at

http://www.apache.org/docs/

--
Joe Schaefer

 
 
 

IE5 SSL & Linux/Apache

Post by Dan » Sun, 08 Oct 2000 04:00:00


Thanks Joe,

I've founf the httpd.conf file in question but I wouldn't mind knowing
whether it's easy to * the whole thing up! Is is a file I can backup
and replace if things go paer shaped??! As I say I'm not experienced with
Linux.........also, where would this bit go - it's quite a long file:

<VirtualHost my.secure.server:443>

Quote:>         SSLEngine       on
>         BrowserMatch MSIE ssl-unclean-shutdown nokeepalive \
>                           downgrade-1.0 force-response-1.0
> [...]

Sorry to be a pain and thanks for perservering...cobalt docs aren't too hot!

Many, many thanks

Dan


> > Great!! I knocked off the use HTTP 1.1 in the advanced settings on IE5
and
> > and it works all the time - this has been a major bugbear and for many
> > others using this cart! Now I have limited experience with Linux, I can
> > telnet in and do very simple things but how do I downgrade/force
response -
> > is it difficult?

> [...]

> This problem doesn't have anything to do with your cart software-
> it's mod_ssl's strict implementation of the SSL specs that causes trouble
> with MSIE[45].  Basically what I think happens is that mod_ssl sends
> additional information to the browser at the moment the SSL conection has
> closed, but *before* the keepalive connection has closed ( See
> http://www.veryComputer.com/#io-ie ).
> This extra data is handled correctly by NS, but MSIE thinks it's part of
> a subsequent response over the keepalive connection and pukes on your next
> request.  IIRC if you wait long enough, the keepalive connection will
> time out and MSIE won't get confused by this extra data.

> I'd fix it this way- change the beginning of your SSL VirtualHost
> (as in httpd.conf) to something like this:

> [...]

> <VirtualHost my.secure.server:443>
>         SSLEngine       on
>         BrowserMatch MSIE ssl-unclean-shutdown nokeepalive \
>                           downgrade-1.0 force-response-1.0
> [...]

> I don't know what Cobalt provides in terms of UI for apache config files,
> but I recommend you edit httpd.conf by hand, and read the apache docs at

> http://www.veryComputer.com/

> --
> Joe Schaefer

 
 
 

IE5 SSL & Linux/Apache

Post by Joe Schaefe » Sun, 08 Oct 2000 04:00:00



> Thanks Joe,

> I've founf the httpd.conf file in question but I wouldn't mind knowing
> whether it's easy to * the whole thing up! Is is a file I can backup
> and replace if things go paer shaped??! As I say I'm not experienced with
> Linux.........also, where would this bit go - it's quite a long file:

> <VirtualHost my.secure.server:443>
> >         SSLEngine       on
> >         BrowserMatch MSIE ssl-unclean-shutdown nokeepalive \
> >                           downgrade-1.0 force-response-1.0
> > [...]

Dan,

I think it's safe to say that we've ventured off-topic for this newsgroup.
Basically your SSL server's configuration will reside inside a <VirtualHost>
</VirtualHost> block within httpd.conf.  When you find it, you only need to
add

Browser MatchMSIE ssl-unclean-shutdown nokeepalive \
                      downgrade-1.0 force-response-1.0

(this is a "long" line- note the trailing "\".)  This line needs to be
inserted *inside* your server's <VirtualHost></VirtualHost> block.  After
you've done that, you can test your httpd.conf file by using

% apachectl configtest

(apachectl lies inside /usr/local/apache/bin on my server.) If you get
no syntax errors, do a full restart like so

%apachectl stop
%apachectl startssl

You should be in the clear now - if not email me directly to avoid cluttering
this newsgroup.

Best.
--
Joe Schaefer

 
 
 

IE5 SSL & Linux/Apache

Post by Dan » Sun, 08 Oct 2000 04:00:00


Thanks Joe...I'll give it  a go and email you if I  need to. Sorry for being
off-topic....

Dan


> > Thanks Joe,

> > I've founf the httpd.conf file in question but I wouldn't mind knowing
> > whether it's easy to * the whole thing up! Is is a file I can
backup
> > and replace if things go paer shaped??! As I say I'm not experienced
with
> > Linux.........also, where would this bit go - it's quite a long file:

> > <VirtualHost my.secure.server:443>
> > >         SSLEngine       on
> > >         BrowserMatch MSIE ssl-unclean-shutdown nokeepalive \
> > >                           downgrade-1.0 force-response-1.0
> > > [...]

> Dan,

> I think it's safe to say that we've ventured off-topic for this newsgroup.
> Basically your SSL server's configuration will reside inside a
<VirtualHost>
> </VirtualHost> block within httpd.conf.  When you find it, you only need
to
> add

> Browser MatchMSIE ssl-unclean-shutdown nokeepalive \
>                       downgrade-1.0 force-response-1.0

> (this is a "long" line- note the trailing "\".)  This line needs to be
> inserted *inside* your server's <VirtualHost></VirtualHost> block.  After
> you've done that, you can test your httpd.conf file by using

> % apachectl configtest

> (apachectl lies inside /usr/local/apache/bin on my server.) If you get
> no syntax errors, do a full restart like so

> %apachectl stop
> %apachectl startssl

> You should be in the clear now - if not email me directly to avoid
cluttering
> this newsgroup.

> Best.
> --
> Joe Schaefer

 
 
 

IE5 SSL & Linux/Apache

Post by gboworld.co » Sun, 08 Oct 2000 04:00:00


We have designed a frame shopping cart,
and a window shopping cart.
if interested, please visit
http://gboworld.com/index.html

they are easy to be used to design e-commerce store front.
One of our customers has an online ecommerce shop:
http://intercomp.com.au/e-bellingen
It is a nice design for a storefront.



Quote:> Not sure if I'm in the right place here!

> I have a Cobalt Raq running Apache 1.3.6 and an SSL cert from Thawte.
I have
> a cgi shopping cart which works great until you use it through MSIE 5
(and
> others versions). The secure order form loads ok but there is
a "submit"
> button that posts the form info to the shopping cart script. The 1st
time
> you hit the "submit" button it immediately goes to a "page not found"
error,
> but clicking back and resubmitting works fine.

> Now there seems to be an issue with IE5 and SSL. I've spent a long
time
> looking for a solution and I've seen posts relating to incorrect
> "Content-Length" in the headers but I know this WAS an issue with the
cart
> but one of the libraries has been updated to deal with this. The
other posts
> I've notice involve changing the following in the httpd.conf althoug
being
> new to linux I'm not sure how you'd do this:

> "BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-
1.0

> and change it to

> BrowserMatch "MSIE 5\.0;" nokeepalive downgrade-1.0 force-response-1.0

> which solves the problem with IE5 ."

> Can anyone shed any light on this or at least point me to the right
group to
> ask the question?

> Thans in advance

> Dan

--
Thanks,

gboworld.com

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. Apache Reverse Proxy, SSL, challenge/response and IE5...

I guess here's a tough one:

A customer of mine wants his Intranet (including OWA) site acessible
from the public Internet with user login via SSL.
An Apache reverse proxy listening on SSL handles the requests from the
outside world, it's talking normal http (like the Intranet clients) with
the ProxyPass Intranet server running IIS.

If basic/clear authentication is set on that IIS Webserver, everything
works just fine. But since it's a IIS in a Windows environment, they're
using challenge/response authentication the way Intranet users don't
need to login again when accessing the site. But as soon
challenge/response is enabled, the following happens when connecting
from outside over the reverse proxy:
- With Netscape Browsers everything works just fine as usual...
- With IE5
  - accepting the certificate (not trusted at an official authority)
does work
  - the authentication dialog box appears
  - but then, the only thing displayed is that "the page cannot be
displayed... cannot find server or DNS error" message!

No, it's not the IE5 SSL/PCT/TLS settings, tried any combination.
Disabling the IE5 "friendly http messages" option doesn't change
anything
The logs aren't showing any error messages.
I've scanned Technet and DejaNews in vain, obviously I'm always the
first with such things...
It's not a http 1.0/1.1 issue

Any idea, workaround or hint here would be greatly appreciated!

Thanks in advance (and watch the .sig)
Eric

--
Spam Protection (sorry):
Please remove ANY uppercase character from my email address if replying

2. Once again(?): Mitsumi 4x ATAPI woes

3. Apache/Raven SSL and IE5 problem

4. FTP site for Idraw or Xfig

5. Help with Apache SSL && Apache servers sharing content

6. attbi AT&T

7. Question: Running Apache SSL and Apache non-SSL on one server

8. copy problems

9. Apache & Apache w/ssl

10. Apache Week: Apache & SSL feature

11. Apache & SSL - Stronghold, Raven, OpenSSL, ModSSL & ApacheSSL

12. IE5 browsers, SSL and "page not found"

13. Win95 with IE5 win't look at Linux apache on same network :'-(