it looks like we are going to just changed it to

SetEnvIf User-Agent ".*MSIE 4.*"

and it seems to work fine. We only have 0.11% IE4 users so I am not too worried. We are going to rerun our use cases and see how badly it skewed the numbers.

stupid IE.

I had problems with Thawte 40 bit certs and export versions of IE and found those fixes nearly three years ago on the mod_ssl website.
[modssl.org...]

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

nokeepalive is creating the load problems. If a page has several images, a new Apache child is opened for each image, including a new SSL handshake, and the webpage takes longer to download with MSIE.

Removing nokeepalive also fixes the problem.

I found other problems with MSIE including occasional DNS errors with SSL. The following in httpd.conf (Apache 1.3.29) will fix several MSIE related problems, especially with the buggy Export versions.

SSLSessionCache dbm:logs/ssl_cache
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

SetEnvIf User-Agent ".*MSIE.*" \
ssl-unclean-shutdown downgrade-1.0 force-response-1.0

We only have 0.11% IE4 users so I am not too worried.

IE4 users may not be able to access SSL servers with 128 bit certificates. Have you done any tests with IE4? My testing with IE4 produced DNS errors.

You can also improve the overall performance of Apache by reducing KeepAliveTimout from 15 to 5.

Have you done any tests with IE4?

No, and I don't think we care enough.

thx Gorufu.

We re ran a few of the use cases and have already had results that are double the original numbers. No surprise really.