Re: Improving ssl conection time

Sun, 07 May 2006 12:39:02 -0700

You might want to check out SSL_set_session() and friends. This will allow your programs to reuse a session and avoid the negotiation. 


On May 7, 2006, at 8:03 AM, Marco Rossi wrote:


Dear all,

I'm working with an xml messaging protocol where
messages are exchaged by means of ssl connections.

The client needs to open/close a new connection for
every message to sent (the server adopts this policy
and it is not possible to change it), so I was trying
to understand a little more on BIO_do_connect.

In the past, I used to "sleep(2)" on BIO_do_connect to
  to waif for ssl handshake to be performed, here a
snip of code

// CTX settngs (keys, cert,...)
BIO_get_ssl(out, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_nbio(out,1);

if (BIO_do_connect(out) <= 0){
     sleep(2);
}

However I noticed "sleep(2)" slows down my client
application, I got better times if I don't use sleep
and I go directly to use BIO_read and BIO_write, and
wait for the BIO to be ready using int values returned
by these functions and related macro BIO_should_read

...
bytesRead = BIO_read(out, buf, sizeof(buf));

while ( (!(bytesRead == 0)) && (count <NTRIES)){
      if (bytesRead <0) {

if(BIO_should_read(out) || BIO_should_retry(out))

This works almost fine with SSLv3 but if I try to use
TLS 1 (server supports both) I receive too much
connection error.

Checking what is happening with ssldump I see the
handshake hangs up on ClientKeyExchange when the
master key should be already be aggred

ssldump -q

6 1  0.1293 (0.1293)  C>S SSLv2 compatible client
hello
6 2  0.2623 (0.1329)  S>C  Handshake      ServerHello
6 3  0.6656 (0.4032)  S>C  Handshake      Certificate
      ServerKeyExchange
      CertificateRequest
        certificate_authority
        certificate_authority
      ServerHelloDone
6 4  0.6945 (0.0289)  C>S  Handshake      Certificate
6 5  0.8243 (0.1298)  C>S  Handshake
ClientKeyExchange

How could I improve and possibly speed up ssl
connetion time in a correct manner ?

Thanks,
Marco Rossi


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]





Attachment:
smime.p7s

Description: S/MIME cryptographic signature














    











					Reply via email to