Screen shots

Junk Email Filter

Security Notice
Phishing campain
Version 1.4.15
Security Upgrade
Older Newer
Mon, 19 Mar 2007 21:14:33 . . . . [Fixed a typo (comination -> combination)]

Changes by last author:

= Internet Explorer versus SSL =

The problem comes from buggy handling of the combination SSL+POST+HTTP Keep-Alive in Internet Explorer. Problems with this combination have been around in different shapes since at least IE5.

== Problem ==

Users using Internet Explorer experience the following:

Sometimes when using different functions of SquirrelMail, especially when composing mail (adding an attachment or pushing Send), Internet Explorer either:

* Goes into some form of limbo - the flag in the upper right corner is waveing, but nothing happens.

* Displays an error page in the right-hand frame

* Pops up a dialogue box saying (English version) "This page contains both secure and nonsecure items. Do you want to display the nonsecure items? Yes/No/More Info". It does not matter if you push Yes or No - you don't get any further.

== Cause ==

Internet Explorer + SSL + HTTP POST + HTTP Keep-Alive Enabled + HTTP Keep-Alive Timeout below 60 seconds = Poor mix. Given these conditions Internet Explorer will misbehave. It seems Internet Explorer simply can not cope with a lower Keep-Alive Timeout than 60 seconds when performing POST operations towards a SSL-enabled webserver.

== Solution ==

Configure your webserver with a Keep-Alive Timeout of 60 seconds or more. In Apache the default is 15 seconds.

In Apache, use this directive: keepalivetimeout 60

In Lighttpd, use this directive: server.max-keep-alive-idle = 60


$HTTP["useragent"] =~ "MSIE" { server.max-keep-alive-requests = 0 }

The directive can be used both globally and within each virtualhost. Be aware that adjusting the timeout upwards will consume more resources on heavily loaded webservers. Read the Apache documentation for more information.

Or, for Apache 2, set it to not use Keepalive at all for Internet Explorer clients connecting via SSL in your configs:


SetEnvIf? User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


(Remember to restart your webserver after making the changes)

== More information ==

Stephen Kirkham at the University of Alberta has written a paper about the problem - http://telanis.cns.ualberta.ca/

Good description of the problem, but he hasn't discovered the 60 second magic limit :-)

© 1999-2016 by The SquirrelMail Project Team