In article <[EMAIL PROTECTED]> you wrote:
> On Thu, May 20, 1999 at 09:28:45AM +0200, Ralf S. Engelschall wrote:
>
>>> Question: some of the messages say that the fix involves setting
>>> both ssl-unclean-shutdown *and* nokeepalive for MSIE browsers,
>>> while some other messages seem to say it's ok to just use
>>> ssl-unclean-shutdown but leave keepalives enabled. [...]
>>> Can anyone (Ralf?) say what the story is about this? [...]
>
>> Some weeks ago I've established a testserver and we let people
>> connect with lots of browsers. The result was that most newer MSIE
>> browsers failed with I/O errors. After tracing down the problem it
>> was clear that it's related to the shutdown sequence. But it occured
>> only under certain cicumstances and with some browser versions.
>> Especially when mod_ssl performs a correct shutdown after POST
>> requests, i.e. sends the close notify alert, MSIE presents the I/O
>> error. When one does an unclean shutdown here (i.e. not sending the
>> close notify alert) MSIE still complains. When we avoid keeplive, it
>> then worked.
>
> What exactly does Apache with mod_ssl do when shutting down an SSL
> connection (in the default case)? Does it send its close_notify alert
> and then send a FIN -- i.e. shutdown(..., SHUT_WR) -- so that the
> browser still can write TCP data, or does it send the close_notify
> alert and then immediately perform a (half-duplex) close(...)?
^^^^ half? you mean full, right?
In the default case mod_ssl does approximately the following (it's a lot more
complex, because parts of this are done by mod_ssl, parts of this by the
Apache kernel and what the Apache kernel actually does depends on lots of
flags and compile time and platform options: standard close, lingering close,
etc):
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_bsetflag(fb, B_EOUT, 1);
[ shutdown(fb->fd, SHUT_WR); ]
ap_bclose(fb);
The first three are still inside mod_ssl (ssl is an SSL*), the ap_xx() inside
the Apache kernel (fb is a BUFF* corresponding to a fd). The shutdown() is
done not always by Apache (depends on platform and whether lingering close
should be done).
On FreeBSD where the lingering close with shutdown() is done I've never
observed any problems (my testserver was also a FreeBSD box). When I
understand you correctly, the problem can be those platforms where Apache
doesn't do the lingering close, right?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
