SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
UPDATE YOUR
EMAIL SECURITY
"IUEU"

Internet Explorer versus SSL

The problem comes from buggy handling of the combination SSL+POST+HTTP Keep-Alive in Internet Explorer. Problems with this combination have been around in different shapes since at least IE5.

Problem

Users using Internet Explorer experience the following:

Sometimes when using different functions of SquirrelMail, especially when composing mail (adding an attachment or pushing Send), Internet Explorer either:

  • Goes into some form of limbo - the flag in the upper right corner is waveing, but nothing happens.
  • Displays an error page in the right-hand frame
  • Pops up a dialogue box saying (English version) "This page contains both secure and nonsecure items. Do you want to display the nonsecure items? Yes/No/More Info". It does not matter if you push Yes or No - you don't get any further.

Cause

Internet Explorer + SSL + HTTP POST + HTTP Keep-Alive Enabled + HTTP Keep-Alive Timeout below 60 seconds = Poor mix. Given these conditions Internet Explorer will misbehave. It seems Internet Explorer simply can not cope with a lower Keep-Alive Timeout than 60 seconds when performing POST operations towards a SSL-enabled webserver.

Solution

Configure your webserver with a Keep-Alive Timeout of 60 seconds or more. In Apache the default is 15 seconds.

In Apache, use this directive: keepalivetimeout 60

In Lighttpd, use this directive: server.max-keep-alive-idle = 60

or

$HTTP["useragent"] =~ "MSIE" { server.max-keep-alive-requests = 0 }

The directive can be used both globally and within each virtualhost. Be aware that adjusting the timeout upwards will consume more resources on heavily loaded webservers. Read the Apache documentation for more information.

Or, for Apache 2, set it to not use Keepalive at all for Internet Explorer clients connecting via SSL in your configs:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

(Remember to restart your webserver after making the changes)

More information

Stephen Kirkham at the University of Alberta has written a paper about the problem - http://telanis.cns.ualberta.ca/

Good description of the problem, but he hasn't discovered the 60 second magic limit :-)

© 1999-2010 by The SquirrelMail Project Team