                   ===============================
                   WebSite/WebSite Pro HotFix 1.1h
                   ===============================

This is WebSite and WebSite Pro 1.1h HotFix. 

**************************************************************
*         It requires that you have updated your             *
*       installation with the 1.1g Service Release           *
*           prior to installing this HotFix.                 * 
**************************************************************

The HotFix improves ISAPI compatibility, fixes several urgent bugs, 
and includes a workaround for the broken SSL V2 support
in Microsoft Internet Explorer Versions 3.0 and 3.01 (see note below).

Bugs fixed in this release:
==========================

(1) The ISAPI GetServerVariable() function was changed to conform 
    to the real world behavior (as opposed to the specification). 
    It also now returns the specified Win32 error codes via 
    GetLastError(). 

(2) Content length reported for some non-200 responses was incorrect.
    This has now been fixed.

(3) There is no longer a practical limit to the number of access 
    control entries (ACEs), users and groups, url-to-file mappings, 
    and redirection mappings that can be configured. 

    Note that large numbers of ACEs and mappings can degrade the 
    performance of WebSite under very heavy load conditions.

(4) The server no longer crashes when paused under NT 3.5x.

(5) AUTH_INTERNAL feature of WSAPI now works as documented

(6) Fixed non-fatal thread exception when Netscape browser refuses an 
    SSL connect (cert expired or mismatched CN, user hits cancel). 

(7) ISAPI interface was fixed for SSL with extensions that return
    pending status and later signal their completion.

(8) Two undocumented ServerSupportFunction codes are now supported
    by ISAPI. It is unclear whether these are implemented exactly
    as they are in IIS... this is a best effort in the absence of
    any documentation.

(9) Added more protection against corrupt/huge HTTP headers on incoming
    requests and from CGI programs.

(10) Corrected a problem that caused CGI to stop working and start
     generating exceptions, requiring a server restart.

(11) Fixed an authentication tracing message that generated an
     exception.

(12) Changed the control architecture in an effort to better handle 
     "stuck connections".


SSL V2 and Microsoft Internet Explorer V3.0x
============================================

We have discovered that Microsoft Internet Explorer 3.0 and 3.01 do not 
correctly implement the Secure Sockets Layer protocol, Version 2. This
version of SSL has been in widespread use since mid-1995, and there are
many servers in use today that employ SSL V2. The technical explanation
of Microsoft's protocol violation is beyond the scope of this document.
Microsoft has been informed of their bug. However, in an effort to 
permit our customers to provide secure communication with the broken
versions of Internet Explorer, we have incorporated a "hack" into 
WebSite Professional. The effect of this workaround is to disable 
the periodic renegotiation of bulk encryption keys between the 
browser and server ONLY FOR INTERNET EXPLORER VERSIONS 3.0 AND 3.01. 
This reduces the security of the SSL connection somewhat, however it 
permits WebSite Professional to operate correctly with the broken 
Internet Explorer browsers.

Note that this problem is not applicable to the Microsoft Internet
Information Server (IIS), as it uses a Microsoft-proprietary security 
protocol called Personal Communication Technology (PCT) when talking to 
Internet Explorer. In addition, the problem is not applicable to the
very newest Netscape servers as these use the new SSL version 3
protocol, which is not broken in Internet Explorer. We will support SSL
version 3 in the next major version of WebSite Professional, currently
scheduled for first beta in March 1997.

                     ***** End *****

kks;11hab;020597

