IE9 and apache SSL nokeepalive settings

Currently I am using Apache 2.2.3 and CentOS 5.4 for my php applications (php running on 5.3.7) and application is running on HTTPS and with Root CA cert.

The problem is that we have been experiencing some weird issues with IE9 (IE9 only). When IE9 browser submit a HTTPS request to our server, sometimes there is no HTTPS response. What I have noticed is that IE9 will refresh the page. To be more specific, the mentioned page is a login page. So when I enter username and password and submit the form, but there is not response and IE9 seems like reloading the same login page again. (with blank username and password)

When tracing from application level, I do notice I have received the username and password and the application ended without errors.

The main headache is that it can't be reproduced every time. Sometimes we can login without any problems, but sometimes it will have the said issue mentioned above.

Now our company got network team, developers and other teams. Our apache is running under a load balancer. The network guys claim that they never change any settings, the only changes is our application. But from developers point of view the changes got nothing to do with login process.

From my point of view it does seems like once user click submit, and application (apache) did what it does by sending out a HTML (HTTPS Response), but the HTML is somehow miraculousy disappeared in network. I do suspect there is something to do with connection keep-alive? Probably IE9 browser agent handles it differently, and somehow it deems the connection fails and reload the page for a retry?

But anyhow, I have noticed the following settings in Apache for SSL conncetion:

SetEnvIf User-Agent ".MSIE." \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0

Not sure how we can setup in a way that to exclude IE9 and above? When I do a search the above settings is to fix some long-standing issue when IE is connecting with Apache. But since IE9 is quite brand-new probably the problem is fixed already, and that we need to update the settings?

Hopefully someone can shed some lights on this..


Solution 1:

Most likely the server/network setup has an issue somewhere and is not caused by any IE9 quirks.

First off get rid of the ancient pre IE6 config: SetEnvIf User-Agent ".MSIE." \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 and just try running with out that at all (in any forms). Unless you need to support IE5 which i doubt you do in which case you are correct to change the regex to MSIE [2-5]

The Load balancer and having no keepalive is likely the problem. I would be very suspicious of the load balancer and check exactly what is going on there first.

A load balancer will usually 'balance load' between two or more ip addresses (internal or external it doesn't matter at this point).

Then having no keepalive on connections between requests the client computer/browser will have to perform SSL negotiation for every request. Combine this with slowness and low timeout settings and we can get SSL cert mismatching issues and IE will probably bail because of strict security setup. I haven't investigated exactly if IE9 has this trait only. I would suspect other browsers do this too and deal with it differently.

If you are using SSL you should have KeepAlive on as it will make the site much faster and not have to go through SSL Negotiation over and over thus failing because the load balancer is not keeping the session on the same server during the lifetime of the visitor.

If your application is internal (on an intranet) your load balancer is randomly jumping ip addresses on you and SSL needs it to be the same per connection.

If it is not on an intranet the same could be true, I don't know how your network is setup but you should check into that first. Disable the load balancer and see if the problem exists. and definately put keep alive on.

http://httpd.apache.org/docs/2.2/mod/core.html#keepalive

I would also check if you got reverse dns setup at all. If it is pointing to the load balancer or the server behind the load balancer or what not.

Test your connection and analyze your headers, if external use something like redbot.org or webpagetest.org to check what headers are sent out. Also you can use something like fiddler