Microsoft KB Archive/305217

= &quot;Page cannot be displayed&quot; error during SSL 3.0 Server session time-out =

Article ID: 305217

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01

-



This article was previously published under Q305217



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When Internet Explorer version 5.5 Service Pack 1 or later tries to POST data, GET data or set up an HTTPS connection with the connect command, Internet Explorer generates an error message that indicates that the page could not be displayed. This problem does not occur in Internet Explorer 5.5.



CAUSE
This problem can occur when the Web server issues an SSL 3.0 closure alert as the port is being closed on the server, because of a possible session time-out. This closure alert is sent across as a Zero Byte Encrypted packet, however, the complete closure message occurs by using 2 different packets. The closure alert arrives with the TCP Flags &quot;.AP...&quot; (Ack Push) to instruct the program that the SSL 3.0 session is closing and another packet with the TCP Flags &quot;.A...F&quot; (Ack Fin) to instruct the TCP layer to close the port on the client computer.

Because the closure alert arrives and the RESET and FIN TCP flags are not set within that packet, there is no way for Wininet.dll to determine that this is not program data, and because of this, the Keep-Alive port is left open on the client until the next Socket Receive call.

This causes the problem to occur because Internet Explorer has two Keep-Alive ports open to the server and the Retry count is equal to 2. When the Socket Receive occurs after the first attempt to send data, the SSL 3.0 closure alert is processed and the TCP closure is processed causing the first Keep-Alive port to be closed and the Retry count to be decremented. Because the retry count is not 0, there is another POST attempt that uses the second Keep-Alive port. However, this too does not work because it has also been closed on the server (again the SSL 3.0 Closure Alert and the TCP Closure packets for this second port as processed on the Socket Receive for the port) and the retry count is decremented again. At this point the retry count is now 0 and the error message is generated that indicates that the page could not be displayed.



Service pack information
A code change has been created to try to reduce the number of failures that are seen with Internet Explorer and SSL 3.0 closure alerts. To take advantage of this change, obtain the latest service pack for Microsoft Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information
A mitigation hotfix is now available from Microsoft, but it is relevant only to the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Internet Explorer 6 service pack that contains this hotfix.

To request this hotfix immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Important Install the February, 2003 Cumulative Patch for Internet Explorer before you install this fix. For more information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

810847 February, 2003, Cumulative Patch for Internet Explorer

If you installed this fix before you installed the February, 2003 Cumulative Patch for Internet Explorer, you must reinstall this fix.

Internet Explorer 5.01 on Windows 2000 Service Pack 3
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

 Date       Time    Version         Size      File name -- 13-Jan-2003 10:03  5.0.3513.1300   461,072   Wininet.dll

Internet Explorer 5.5 Service Pack 2
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

 Date       Time    Version           Size      File name -- 13-Jan-2003 10:34   5.50.4925.1300    482,064    Wininet.dll

Internet Explorer 6
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

 Date       Time    Version           Size      File name -- 13-Jan-2003 10:05   6.0.2725.1300     583,680     Wininet.dll

Internet Explorer 6 Service Pack 1
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

 Date       Time     Version           Size      File name -- 13-Jan-2003 09:34    6.0.2800.1157      585,728      Wininet.dll



WORKAROUND
To work around this problem, use either of the following methods:
 * Disable SSL 3.0 closure alerts at the server.
 * Change the Iplanet keep-alive time-out setting from 30 seconds to 300 seconds.

For more information about how to configure this value, click the following article number to view the article in the Microsoft Knowledge Base:

183110 WinInet limits connections per server



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

After you install the hotfix, you may still see failures. The hotfix is only a mitigation fix. In an attempt to resolve the failures that you may see after you install the hotfix, set the following DWORD keys in the Registry Editor to an equal value, such as 4:
 * MaxConnectionsPerServer
 * MaxConnectionsPer1_0Server

To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following subkey in the registry:

</li> If you do not see the MaxConnectionsPerServer or MaxConnectionsPer1_0Server subkeys, add the subkeys. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD.</li> Type MaxConnectionsPerServer, and then press ENTER.</li> Type MaxConnectionsPer1_0Server, and then press ENTER.</li></ol> </li></ol>

Note By changing these settings, you cause WinInet to go against the HTTP protocol specification recommendation. You should only do this if it is required. Then, you should avoid standard Web browsing while these settings are in effect.

Microsoft is currently reviewing this behavior and looking for a more viable solution in future products.

To determine if you are seeing the SSL 3.0 closure alert issue with Internet Explorer, follow these steps:
 * 1) On the server, turn off SSL 3.0. Then, turn on SSL 2.0 to prevent the closure alerts from being sent.
 * 2) On the client, set the MaxConnectionsPerServer value to 1.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Additional query words: kbiepcbd ISA

Keywords: kberrmsg kbbug kbfix kbqfe kbenv kbie550presp2fix kbwin2ksp4fix kbhotfixserver KB305217

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.