Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout (Q305217) -------------------------------------------------------------------------------- The information in this article applies to: Microsoft Internet Explorer version 6 for Windows 2000 Microsoft Internet Explorer version 5.5 Service Pack 1 , for Windows 2000 Microsoft Internet Explorer version 6 for Windows NT 4.0 Microsoft Internet Explorer version 5.5 Service Pack 1 , for Windows NT 4.0 Microsoft Internet Explorer version 6 for Windows Millennium Edition Microsoft Internet Explorer version 5.5 Service Pack 1 , for Windows Millennium Edition Microsoft Internet Explorer version 6 for Windows 98 Second Edition Microsoft Internet Explorer version 5.5 Service Pack 1 , for Windows 98 Second Edition -------------------------------------------------------------------------------- SYMPTOMS When Internet Explorer version 5.5 Service Pack 1 or later tries to POST data to or GET data from a Secure Sockets Layer (SSL) version 3.0 connection with Keep-Alives enabled, Internet Explorer generates an error message that indicates that the page could not be displayed. Note that this problem does not occur in Internet Explorer 5.5. CAUSE This problem can occur when the Web server issues an SSL 3.0 closure alert as the port is being closed on the server, because of a possible session timeout. This closure alert is sent across as a Zero Byte Encrypted packet, however, the complete closure message occurs by using 2 different packets. The closure alert arrives with the TCP Flags ".AP..." (Ack Push) to instruct the program that the SSL 3.0 session is closing and another packet with the TCP Flags ".A...F" (Ack Fin) to instruct the TCP layer to close the port on the client computer. Because the closure alert arrives and the RESET and FIN TCP flags are not set within that packet, there is no way for Wininet.dll to determine that this is not program data, and because of this, the Keep-Alive port is left open on the client until the next Socket Receive call. This causes the problem to occur because Internet Explorer has two Keep-Alive ports open to the server and the Retry count is equal to 2. When the Socket Receive occurs after the first attempt to send data, the SSL 3.0 closure alert is processed and the TCP closure is processed causing the first Keep-Alive port to be closed and the Retry count to be decremented. Because the retry count is not 0, there is another POST attempt that uses the second Keep-Alive port. However, this too does not work because it has also been closed on the server (again the SSL 3.0 Closure Alert and the TCP Closure packets for this second port as processed on the Socket Receive for the port) and the retry count is decremented again. At this point the retry count is now 0 and the error message is generated that indicates that the page could not be displayed. RESOLUTION A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Internet Explorer 5.5 service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/directory/overview.asp NOTE : In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English version of this fix should have the following file attributes or later: Date Time Version Size File name --------------------------------------------------------- Aug 08, 2001 13:26 5.50.4720.0800 480,016 Wininet.dll WORKAROUND To work around this problem: At the server, increase the "Keep Alive Timeout" to 65 (seconds) and increase "Max Keep Alive Sessions" to 300. At the server, disable SSL 3.0 and enable SSL 2.0 to prevent the Closure Alerts from being sent. At the client, set the MaxConnectionsPerServer value to 1. For additional information about how to configure this value, click the article number below to view the article in the Microsoft Knowledge Base: Q183110 INFO: WinInet Limits Connections Per Server STATUS Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article. MORE INFORMATION For additional information about the SSL 3.0 Closure Alert, please refer to the SSL 3.0 Specification section 5.4.1 located on the following Web site: http://home.netscape.com/eng/ssl3/draft302.txt The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information. |