Welcome to WebmasterWorld Guest from 107.23.37.199

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Default Apache setting for SSL

causing too many sessions

     
6:21 pm on Feb 24, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


There is a default conf setting for mod_ssl

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

While doing some load testing we noticed the program was running 100 concurrent users yet there were 820 sessions. This was, obviously, not making Apache very happy.

We are using 'netstat -an¦grep -c 443' to count sessions.

We looked into this further and noticed that on one machine it was 2 sessions for a single connection and on the other it was roughly 23. We noticed one machine was using moz and one was IE. After many tests the issue was with IE only and that led us to the conf.

2 questions

1. What is that default setting for?
2. Are there any major issues with removing it?

I am reading madly but wondered if anyone knew what this was all about.

<added>It seems to be mainly for IE 4 not supporting HTTP 1.1
[httpd.apache.org...]

6:43 pm on Feb 24, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


it looks like we are going to just changed it to

SetEnvIf User-Agent ".*MSIE 4.*"

and it seems to work fine. We only have 0.11% IE4 users so I am not too worried. We are going to rerun our use cases and see how badly it skewed the numbers.

stupid IE.

11:52 pm on Feb 24, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 16, 2000
posts:122
votes: 0


I had problems with Thawte 40 bit certs and export versions of IE and found those fixes nearly three years ago on the mod_ssl website.
[modssl.org...]

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

nokeepalive is creating the load problems. If a page has several images, a new Apache child is opened for each image, including a new SSL handshake, and the webpage takes longer to download with MSIE.

Removing nokeepalive also fixes the problem.

I found other problems with MSIE including occasional DNS errors with SSL. The following in httpd.conf (Apache 1.3.29) will fix several MSIE related problems, especially with the buggy Export versions.

SSLSessionCache dbm:logs/ssl_cache
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

SetEnvIf User-Agent ".*MSIE.*" \
ssl-unclean-shutdown downgrade-1.0 force-response-1.0

We only have 0.11% IE4 users so I am not too worried.

IE4 users may not be able to access SSL servers with 128 bit certificates. Have you done any tests with IE4? My testing with IE4 produced DNS errors.

You can also improve the overall performance of Apache by reducing KeepAliveTimout from 15 to 5.

12:20 am on Feb 25, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


Have you done any tests with IE4?

No, and I don't think we care enough.

thx Gorufu.

We re ran a few of the use cases and have already had results that are double the original numbers. No surprise really.