Hi,
I have asked this question some time ago but we have never found
a solution.
We are using squid 2.5 S4 and also tried v3, OS is Redhat EL ES3,
clients are always IE6 and IE5.5.
Squid is the gateway to a small transfer net to firewall and then to DMZ
and internet.
Firewall has changed from Checkpoint FW1 to an iptables firewall, but no
change in behaviour.
I can login to Domino server fine but after some views and klicking too
fast in our web application IE comes to a standstill, the domino server
is blocked, there is no http or https traffic to the domino server.
Nobody can work anymore!
Exactly if I close my IE all works normal, http and https runs fine.
This happens *only* if I use squid, when I go directly this never
happens, all is fine.
Here is my observation:
There are many tcp connections from my client to squid in state
'connected' (around 20 to 30)
and there are many connections from squid to domino server in state
'connected' (again around 20 to 30)
Output of the domino http task:
05.02.2004 08:45:14 Http Worker Thread ID [44012]: Working session
[4014]: Session State [SSL Handshake] :
05.02.2004 08:45:14 Http Worker Thread ID [48013]: Working session
[3fed]: Session State [SSL Handshake] :
05.02.2004 08:45:14 Http Worker Thread ID [4c014]: Working session
[3fee]: Session State [SSL Handshake] :
05.02.2004 08:45:14 Http Worker Thread ID [50015]: Working session
[3fef]: Session State [SSL Handshake] :
05.02.2004 08:45:14 Http Worker Thread ID [54016]: Working session
... cut here
as many http worker threads I configure (around 20 to 30...).
The question is: why goes SSL Handshake wrong and connection is not
getting terminated?
And why don't I see this behaviour without squid?
Here is an excerpt from domino release notes that might go into this
direction:
SSL Session Resumption
SSL now performs session resumption. This will greatly improve
performance when the Notes HTTP Client or server is
using SSL, and may have a minor (positive) effect on other "Internet"
protocols as well.
The default number of resumable sessions that will be cached on the
server is 50. To modify the number of sessions
cached, set the SSL_RESUMABLE_SESSIONS notes.ini variable to the desired
number. Setting
SSL_RESUMABLE_SESSIONS=1 will disable SSL session resumption on the server.
In Domino 6, the number of resumable sessions will not dynamically climb
to match the server SSL load, and there is
currently no means of configuring sessions to time out and expire.
Benign Internet Explorer error message
Error messages that look like this
handshake failure, IP address [9.99.99.999], Keyring [R6keyfile.kyr], [SSL
Error: Network IO error], code [4165]
are produced in many benign circumstances, especially by Microsoft
Internet Explorer. The most frequent
circumstance is when IE drops an SSL connection and then resumes it. The
error is generated even though there is no
apparent interruption percieved by the client.
Any help is really appreciated!
Rainer
Received on Thu Feb 05 2004 - 01:43:17 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST