| Jörg Ellermann 2006-02-21, 5:56 pm |
| Hi,
I have the following configuration:
Win2003 Server
Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
Self-signed certificate (that does NOT currently match the server name -
big whoops here? It generates warnings but otherwise shouldn't create
problems, right?)
I'm using this setup to serve php pages and enable secure downloads of
files, some of which are up to 150 MB in size.
The problem is that some clients (using Internet Explorer) complain
about very long connection times (), especially when two clients are
simultaneously downloading large files. After the connection has finally
been established, the download itself works fine and with the expected
speed. But I've noticed long connection times even while serving normal
pages. Even loading small images over a Gigabit-LAN can take seconds.
Using other browsers seems to pose no problems but the clients aren't
really sure about this :-(
Whatever, I haven't been able to pin it down yet.
The "unclean shutdown" messages I get are probably due to the
"SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0" directive.
The are also seemingly random "SSL input filter read failed" errors.
My ssl.conf:
------------------------------------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#<IfDefine SSL>
Listen *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex Default
<VirtualHost (x.x.x.x):443>
DocumentRoot "h:/apachedata"
ServerName x.x.x.x
ServerAdmin x@x.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM
:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/xxx.crt
SSLCertificateKeyFile conf/ssl/xxx.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/apache/cgi">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
#</IfDefine>
------------------------------------------------------------------------
From the logs:
------------------------------------------------------------------------
[Mon Feb 20 17:43:30 2006] [info] Server: Apache/2.0.55, Interface:
mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:31 2006] [info] Init: Initializing OpenSSL library
[Mon Feb 20 17:43:31 2006] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Mon Feb 20 17:43:32 2006] [info] Init: Initializing (virtual) servers
for SSL
[Mon Feb 20 17:43:32 2006] [info] Server: Apache/2.0.55, Interface:
mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:32 2006] [notice] Child 5200: Child process is running
[Mon Feb 20 17:43:32 2006] [info] Parent: Duplicating socket 208 and
sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [info] Parent: Duplicating socket 204 and
sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Acquired the start mutex.
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Starting 250 worker threads.
[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 established
(server xxxx:443, client xxxx)
[Tue Feb 21 18:18:28 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:18:28 2006] [info] Initial (No.1) HTTPS request received
for child 249 (server xxxx:443)
[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 closed with
unclean shutdown(server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Connection to child 249 established
(server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:19:16 2006] [info] Initial (No.1) HTTPS request received
for child 249 (server xxxx:443)
[Tue Feb 21 18:19:17 2006] [info] Connection to child 249 closed with
unclean shutdown(server xxxx:443, client xxxx)
------------------------------------------------------------------------
Does anyone have an idea what's wrong here?
Thanks, Jörg
|