On Tue, Aug 27, 2002 at 01:58:41PM -0600, Nevin Pratt wrote:
>
> I'm seeing a performance issue with Stunnel that I haven't tracked down yet.
>
> To access my wife's (squeek driven) site unsecured, try:
>
> http://www.bountifulbaby.com
>
> To access her site secured using stunnel SSL, try:
>
> https://www.bountifulbaby.com
>
> (note the 'https' instead of 'http')\
>
> The site is hosted on FreeBSD, and driven by Squeak.
>
> The second URL above connects to the Stunnel daemon via SSL, and the
> Stunnel daemon uses port forwarding to speak to Squeak.
Coming from a residential DSL connection in Denver, the ICMP latency to your
site is what makes this so slow:
64 bytes from cpe-66-1-184-254.ut.sprintbbd.net (66.1.184.254): icmp_seq=0
ttl=238 time=164.231 msec
So, watch this SSL connection take place (using Eric Rescorla's
excellent ssldump):
$ sudo ssldump -i eth0 port 443
Kernel filter, protocol ALL, raw packet socket
New TCP connection #1: www.pburkholder.com(32979) <->
cpe-66-1-184-254.ut.sprintbbd.net(443)
1 1 0.2100 (0.2100) C>S Handshake
ClientHello
Version 3.1
resume [32]=
9b ca f7 eb 31 1f 32 87 08 d5 91 c7 2b 8d ac 00
81 5a e7 00 74 cf c3 8d 08 5c bd a2 d8 bc 2f 9b
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 2 0.4900 (0.2800) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
9b ca f7 eb 31 1f 32 87 08 d5 91 c7 2b 8d ac 00
81 5a e7 00 74 cf c3 8d 08 5c bd a2 d8 bc 2f 9b
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
1 3 0.4900 (0.0000) S>C ChangeCipherSpec
1 4 0.4900 (0.0000) S>C Handshake
1 5 0.5100 (0.0200) C>S ChangeCipherSpec
1 6 0.8200 (0.3100) C>S Handshake
1 7 0.8200 (0.0000) C>S application_data
1 8 1.6000 (0.7800) S>C application_data
1 9 1.6000 (0.0000) S>C Alert
1 10 2.0000 (0.4000) C>S application_data
1 12.3800 (10.3800) S>C TCP FIN
and you'll see that it's only at packet exchange 7 (Client>Server
application_data) that the HTTP GET is finally issued, so you're already
0.82 seconds into this. You may want to enable compression since latency
bandwidth issues may be a bigger hit than compression processing.
Cheers,
Peter
>
> Notice how much slower the second URL is than the first one. I haven't
> yet tracked down why. Anybody know?
>
> Nevin
>
>
>
>
> Stephen Pair wrote:
>
> >Check out http://www.stunnel.org ...I've used it to serve Swikis through
> >SSL in the past. You'll run stunnel on the machine where ComSwiki is
> >running and make incoming SSL connections (to stunnel) forward to
> >ComSwiki on the localhost. You can then disable insecure connections to
> >ComSwiki from anything other than the localhost (if you want to).
> >
> >- Stephen
> >
> >
> >
> >>-----Original Message-----
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED]] On Behalf Of Glenn Swanlund
> >>Sent: Tuesday, August 27, 2002 1:25 PM
> >>To: PWS
> >>Subject: [pws] ComSwiki with SSL
> >>
> >>
> >>Can anybody tell me if its possible to run ComSwiki with a
> >>secure link using SSL? If so, can you suggest how to do this
> >>with Windows (NT or 2000)?
> >>
> >>Thanks,
> >>Glenn
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
>
--
Peter Burkholder, System Administrator
Digital Library for Earth System Education (DLESE)
[EMAIL PROTECTED]
DLESE Program Center (DPC) ~~~ ~~ ~~~~ __o
UCAR/DPC, P.O. Box 3000 Ph) 303-497-2663 ~~~ ~~~~ ~~ _`\<,_
Boulder, CO 80307-3000 Fx) 303-497-8336 ~~~~ ~~~ ~~~~ (*)/ (*)
