test

Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference

Example

The following AuthTrans directive instructs Proxy Server to when the browser’s User-Agent header contains the string Broken or broken:


AuthTrans fn="match-browser" browser="*[Bb]roken*" ssl-unclean-shutdown="true" 
keep-alive="disabled" http-downgrade="1.0"

The following table describes the variables used in the example.

Table 5–36 Description of variables

Variable 

Description 

ssl-unclean-shutdown

Microsoft Internet Explorer (MSIE) handling of SSL version 3 (SSLv3) and Transport Layer Security (TLS) keep-alive connections causes interoperability problems with non-Microsoft web servers such as iPlanet Web Server. When accessing a web server over SSL (https://) connections, Internet Explorer may display error messages or blank pages. iPlanet Web Server 6.0 SP2 introduces new functionality to work around this problem.

Add the following line immediately below the <object name="default"> line in the server's obj.conf files:


AuthTrans fn="match-browser" browser="*MSIE*" 
ssl-unclean-shutdown="true"

This line instructs the server not send a close_notify alert when it closes SSLv3 connections from MSIE browsers. The close_notify packet is a required component of the SSLv3 and TLS specifications, but it is misinterpreted by MSIE.

Note –

Instructing iPlanet Web Server not send the close_notify packet may make MSIE vulnerable to a truncation attack.

keep-alive

Microsoft Internet Explorer (MSIE) handling of SSL version 3 (SSLv3) and Transport Layer Security (TLS) keep-alive connections causes interoperability problems with non-Microsoft web servers such as iPlanet Web Server. When accessing a web server over SSL (https://) connections, Internet Explorer may display error messages or blank pages. iPlanet Web Server 6.0 SP2 introduces new functionality to work around this problem.

Add the following line immediately below the <object name="default"> line in the server's obj.conf files:


AuthTrans fn="match-browser" browser="*MSIE*" keep-alive="disabled"

This line instructs the server to disable keep-alive connections for Internet Explorer browsers.

Note –

Disabling keep-alive connections may decrease your server's performance.

http-downgrade

Use the following methods to downgrade the HTTP version to 1.0: 

  • To downgrade requests for Microsoft Internet Explorer to HTTP/1.0 version, add the following to the obj.conf file:


    AuthTrans fn="match-browser" browser="*MSIE*" http-downgrade="1.0"

  • To downgrade all requests to HTTP/1.0 version, add the following to the magnus.conf file:


    HttpVersion 1.0