From cd91e65ab2ca8c0fbc09b051e338ed87cf040c95 Mon Sep 17 00:00:00 2001
From: Ossi Herrala <ossi.herrala@codenomicon.com>
Date: Thu, 22 Nov 2012 13:44:27 +0000
Subject: [PATCH] Fix too widely open regexp targeting SSL/TLS settings of
 Microsoft Internet Explorer.

See rant:

  http://newestindustry.org/2007/06/06/dear-apache-software-foundation-fix-the-msie-ssl-keepalive-settings/

This is also ack'ed by Apache and fixed in their httpd's trunk:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=49484
  http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?view=markup
---
 apache/templates/site.https.conf.erb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb
index 30e9982..14f55be 100644
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@@ -138,9 +138,10 @@ SSLCertificateChainFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
+BrowserMatch "MSIE [2-5]" \
+        nokeepalive ssl-unclean-shutdown \
+        downgrade-1.0 force-response-1.0
+
 
 #   Per-Server Logging:
 #   The home of a custom SSL log file. Use this when you want a