Improving ssl conection time

Sun, 07 May 2006 08:03:48 -0700 

Dear all,

I'm working with an xml messaging protocol where
messages are exchaged by means of ssl connections. 

The client needs to open/close a new connection for
every message to sent (the server adopts this policy
and it is not possible to change it), so I was trying
to understand a little more on BIO_do_connect.

In the past, I used to "sleep(2)" on BIO_do_connect to
  to waif for ssl handshake to be performed, here a
snip of code 

// CTX settngs (keys, cert,...) 
BIO_get_ssl(out, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_nbio(out,1);

if (BIO_do_connect(out) <= 0){
     sleep(2);
}

However I noticed "sleep(2)" slows down my client
application, I got better times if I don't use sleep
and I go directly to use BIO_read and BIO_write, and
wait for the BIO to be ready using int values returned
by these functions and related macro BIO_should_read 

...
bytesRead = BIO_read(out, buf, sizeof(buf));
    
while ( (!(bytesRead == 0)) && (count <NTRIES)){
      if (bytesRead <0) {

if(BIO_should_read(out) || BIO_should_retry(out))

This works almost fine with SSLv3 but if I try to use
TLS 1 (server supports both) I receive too much
connection error. 

Checking what is happening with ssldump I see the
handshake hangs up on ClientKeyExchange when the
master key should be already be aggred

ssldump -q

6 1  0.1293 (0.1293)  C>S SSLv2 compatible client
hello
6 2  0.2623 (0.1329)  S>C  Handshake      ServerHello
6 3  0.6656 (0.4032)  S>C  Handshake      Certificate
      ServerKeyExchange
      CertificateRequest
        certificate_authority
        certificate_authority
      ServerHelloDone
6 4  0.6945 (0.0289)  C>S  Handshake      Certificate
6 5  0.8243 (0.1298)  C>S  Handshake  
ClientKeyExchange

How could I improve and possibly speed up ssl
connetion time in a correct manner ? 

Thanks,
Marco Rossi


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to