• Home |
• Contact Us |
• Certificate Centre Login

Customer Support > SSL Certificates > Cobalt > FAQ

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally, the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You work-around these problems by forcing Apache with Mod_SSL or OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL virtual host section:

Open the file with any text editor and carefully insert the code piece below in the appropriate place, around the directive for "SSLengine on", you may have to insert it in both the IF and the ELSIF portions of the setup:

• $PerlConfig .= "Listen $ip:443\n";
• $PerlConfig .= "<VirtualHost $ip:443>\n";
• # ------------- INSERT THIS CODE -------------
• $PerlConfig .= "SetEnvIf User-Agent \".*MSIE.*\" \\n";
• $PerlConfig .= " nokeepalive ssl-unclean-shutdown \\n";
• $PerlConfig .= " downgrade-1.0 force-response-1.0 \n";
• # ------------- END INSERT -------------------
• $PerlConfig .= "SSLengine on\n";
• $PerlConfig .= "SSLCertificateFile /home/sites/$group/certs/certificate\n";
• $PerlConfig .= "SSLCertificateKeyFile /home/sites/$group/certs/key\n";
• $PerlConfig .= join('', @ssl_conf);

In addition, it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems. Instead one has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all(!) your clients, i.e., also your non-MSIE clients.