On Tue, Oct 07, 2003 at 07:17:06PM -0700, Sarah Haff wrote: > >Other suggestions could be turning on keepalives and possibly to remove > >some of the weaker cipher options from SSLCipherSuite. > How does removing weaker cipher improve the performance.
It doesn't improve performance - but I've seen cases where Internet Explorer would allow a session to live longer if it was negotiated to a newer cipher like TLS instead of SSLv2. > > >How does the cpu usage look on the server? If the load isn't high, then > >you probably won't win much with an ssl accelerator. > It is a quad CPU server 2.8 Ghz, so the max CPU usage goes to 10% per CPU. > If that is the case, then it doesn't seem likely to me that a hardware accelerator will improve things much. With that much cpu power to spare, there shouldn't be any significant slowdown in the connect. If you have an SSL enabled benchmark tool (could be a recent ab from apache), then try seeing what happens when you run a number of concurrent requests - do they start to fail? I'm inclined to think that the problem could be related to keepalives, where Internet Explorer tries to open more connections than it can handle at once because keepalives are turned off (the SetEnvIf I mentioned). It should be possible to determine with netstat or LogLevel debug. If that isn't the case, then I can only think of things like a blocking random device, or some other resource being exhausted. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
