[jcifs] [Fwd: RE: Auth problems - SSL with WinXP Client]

[Eric]

The below describes a solution for issues involving the following 
configuration (and similar configurations using Apache):

Apache - 2.0.46 (Red Hat)
Java - 1.4.2.04
Tomcat - 5.0.19
Davenport - 9.8

Under HTTP, Davenport behaves properly with both IE and Netscape.  Under 
HTTPS, IE fails to connect.  This is due to settings in the default 
HTTPS configuration for apache, which disables keepalives and downgrades 
to HTTP/1.0 for IE clients.  No idea if removing these options might 
break other applications, but it apparently fixes Davenport in this 
configuration.

The same may be applicable to those using Apache with the jCIFS NTLM filter.

Eric

-------- Original Message --------

I got it working.  For some reason the default ssl.conf (that gets
included in http.conf) makes some adjustments when it finds the browser
is MSIE.  After commenting those out (see the last three lines within
the VirtualHost section below), I can now browse the SMB server
directory structure.

<VirtualHost _default_:443>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't
wait for
#   the close notify alert from client. When you need a different
shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed,
i.e. no
#     SSL close notify alert is send or allowed to received.  This
violates
#     the SSL/TLS standard but is needed for some brain-dead browsers.
Use
#     this when you receive I/O errors because of the standard approach
where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed,
i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close
notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but
in
#     practice often causes hanging connections with brain-dead
browsers. Use
#     this only for browsers where you know that their SSL
implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for
this.
#   Similarly, one has to force some clients to use HTTP/1.0 to
workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0

</VirtualHost>