Hi, First let me state upfront that I am relatively very new to OpenSSL. Also please forgive me if this is not the correct mailing list for this issue.
We have a product which uses OpenSSL to connect and transfer application level data. There are two ways to connect, and get the application level data from *Agent* to *Client* 1. Client (C/C++) -> Agent (C/C++) 2. Client (C/C++) -> Proxy Server (Java) -> Agent (C/C++) *Client* and *Agent* are implemented in C, while *Proxy Server* uses Java code (This shouldn't really matter). But might be helpful for you to know. The issue is, connecting *Client* to *Agent* is very fast (that is relatively). While connecting *Client* to *Proxy Server* is very slow - that is orders of magnitudes slow. I was trying to determine the root cause. From my analysis is appears that, maximum time on the *Client* side is taken by SSL_Connect during connection establishment, while the actual application level data transfer takes very small time. Similarly, on the *Proxy Server* side (Java Code), maximum time is taken in the first read/write whichever happens first. Further, I don't think this is a network latency issue, as the problem is very pronounced and all the three boxes are on the same network. Also, the *Client* code seems to be similar, whether we connect to *Agent* (method 1 above) or *Proxy Server* (method 2 above). So, the issue is with *Proxy Server*, IMHO. To further locate the issue, I did some tests using ssldump command, *************************************** This is for *Client -> Agent* *************************************** 1 1 0.0023 (0.0002) C>S Handshake ClientHello Version 3.1 cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_RC4_128_SHA Unknown value 0xff compression methods NULL 1 2 0.0091 (0.0068) S>C Handshake ServerHello Version 3.1 session_id[0]= cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL 1 3 0.0091 (0.0000) S>C Handshake Certificate 1 4 0.0091 (0.0000) S>C Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign ServerHelloDone 1 5 0.0104 (0.0013) C>S Handshake Certificate 1 6 0.0104 (0.0000) C>S Handshake ClientKeyExchange 1 7 0.0104 (0.0000) C>S ChangeCipherSpec 1 8 0.0104 (0.0000) C>S Handshake 1 9 0.0159 (0.0054) S>C Handshake TLS_RSA_WITH_RC4_128_MD51 10 0.0159 (0.0000) S>C ChangeCipherSpec 1 11 0.0159 (0.0000) S>C Handshake 1 12 0.0163 (0.0004) C>S application_data 1 13 0.0174 (0.0011) S>C application_data 1 14 0.0176 (0.0001) C>S application_data 1 15 0.0186 (0.0010) S>C application_data 1 16 0.0189 (0.0002) C>S application_data 1 17 0.0200 (0.0010) S>C application_data 1 18 0.0203 (0.0002) C>S application_data 1 0.0205 (0.0002) C>S TCP FIN 1 19 0.0207 (0.0001) S>C Alert 1 0.0209 (0.0001) S>C TCP FIN *************************************** This is for *Client -> Proxy Server* *************************************** 1 1 0.0025 (0.0025) C>S Handshake ClientHello Version 3.1 cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_RC4_128_SHA Unknown value 0xff compression methods NULL 1 2 3.2949 (3.2923) S>C Handshake ServerHello Version 3.1 session_id[32]= 54 76 ca 2c bd 84 37 f9 98 7a b1 57 1f 61 9a 3d 40 89 58 89 e6 14 5f 39 8b 96 62 87 8f a9 30 8f cipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL Certificate ServerKeyExchange ServerHelloDone 1 3 3.3135 (0.0186) C>S Handshake ClientKeyExchange DiffieHellmanClientPublicValue[96]= 9c 38 d3 b5 10 3f 4d a6 54 a9 84 02 b3 f2 25 79 e1 f0 6e 6f 56 35 44 73 13 40 4e c0 6b 2a e7 64 ff 4a a0 7a 34 82 1e d9 35 70 d1 43 f8 c5 18 c4 56 54 a6 32 33 bc 1a 35 62 fe 36 cc 33 f4 a0 15 6d 7a ea 5e a6 f5 d6 d7 21 45 16 30 08 2b bc e9 4c 25 32 64 b3 a3 b9 21 db 26 b1 6c 4c 92 34 aa 1 4 3.3135 (0.0000) C>S ChangeCipherSpec 1 5 3.3135 (0.0000) C>S Handshake 1 6 3.3241 (0.0106) S>C ChangeCipherSpec 1 7 3.3638 (0.0396) S>C Handshake 1 8 3.3638 (0.0000) S>C application_data 1 9 3.3646 (0.0007) C>S application_data 1 10 3.3646 (0.0000) C>S application_data 1 11 3.4196 (0.0549) S>C application_data 1 12 3.4196 (0.0000) S>C application_data 1 13 3.4270 (0.0073) C>S application_data 1 14 3.4271 (0.0000) C>S application_data 1 15 3.4271 (0.0000) C>S application_data 1 16 3.4646 (0.0375) S>C application_data 1 17 3.4646 (0.0000) S>C application_data 1 18 3.4649 (0.0002) C>S application_data 1 19 3.4649 (0.0000) C>S application_data 1 3.4652 (0.0003) C>S TCP FIN 1 20 3.4657 (0.0005) S>C Alert 1 3.4658 (0.0000) S>C TCP FIN ************************************************************ As you can see the big time difference between the two executions - which actually involve the same application level data. The largest chunk of time is spent waiting for handshake from *Proxy Server*. The response time of *Proxy Server* in replying back with ServerHello, varies greatly between 1.5 to 11 seconds across different runs. In the present case it is nearly 3.3 seconds - which IMO is not acceptable. Thanks, for reading through such a lengthy email. If anybody can kindly provide his inputs, or even point me in the right direction, I shall be highly grateful. Any other comments or suggestions are also highly welcome. Thanks for your patience, Prabhat. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org