On Tue, Aug 27, 2002 at 01:58:41PM -0600, Nevin Pratt wrote: > > I'm seeing a performance issue with Stunnel that I haven't tracked down yet. > > To access my wife's (squeek driven) site unsecured, try: > > http://www.bountifulbaby.com > > To access her site secured using stunnel SSL, try: > > https://www.bountifulbaby.com > > (note the 'https' instead of 'http')\ > > The site is hosted on FreeBSD, and driven by Squeak. > > The second URL above connects to the Stunnel daemon via SSL, and the > Stunnel daemon uses port forwarding to speak to Squeak.
Coming from a residential DSL connection in Denver, the ICMP latency to your site is what makes this so slow: 64 bytes from cpe-66-1-184-254.ut.sprintbbd.net (66.1.184.254): icmp_seq=0 ttl=238 time=164.231 msec So, watch this SSL connection take place (using Eric Rescorla's excellent ssldump): $ sudo ssldump -i eth0 port 443 Kernel filter, protocol ALL, raw packet socket New TCP connection #1: www.pburkholder.com(32979) <-> cpe-66-1-184-254.ut.sprintbbd.net(443) 1 1 0.2100 (0.2100) C>S Handshake ClientHello Version 3.1 resume [32]= 9b ca f7 eb 31 1f 32 87 08 d5 91 c7 2b 8d ac 00 81 5a e7 00 74 cf c3 8d 08 5c bd a2 d8 bc 2f 9b cipher suites TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.4900 (0.2800) S>C Handshake ServerHello Version 3.1 session_id[32]= 9b ca f7 eb 31 1f 32 87 08 d5 91 c7 2b 8d ac 00 81 5a e7 00 74 cf c3 8d 08 5c bd a2 d8 bc 2f 9b cipherSuite TLS_RSA_WITH_RC4_128_SHA compressionMethod NULL 1 3 0.4900 (0.0000) S>C ChangeCipherSpec 1 4 0.4900 (0.0000) S>C Handshake 1 5 0.5100 (0.0200) C>S ChangeCipherSpec 1 6 0.8200 (0.3100) C>S Handshake 1 7 0.8200 (0.0000) C>S application_data 1 8 1.6000 (0.7800) S>C application_data 1 9 1.6000 (0.0000) S>C Alert 1 10 2.0000 (0.4000) C>S application_data 1 12.3800 (10.3800) S>C TCP FIN and you'll see that it's only at packet exchange 7 (Client>Server application_data) that the HTTP GET is finally issued, so you're already 0.82 seconds into this. You may want to enable compression since latency bandwidth issues may be a bigger hit than compression processing. Cheers, Peter > > Notice how much slower the second URL is than the first one. I haven't > yet tracked down why. Anybody know? > > Nevin > > > > > Stephen Pair wrote: > > >Check out http://www.stunnel.org ...I've used it to serve Swikis through > >SSL in the past. You'll run stunnel on the machine where ComSwiki is > >running and make incoming SSL connections (to stunnel) forward to > >ComSwiki on the localhost. You can then disable insecure connections to > >ComSwiki from anything other than the localhost (if you want to). > > > >- Stephen > > > > > > > >>-----Original Message----- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED]] On Behalf Of Glenn Swanlund > >>Sent: Tuesday, August 27, 2002 1:25 PM > >>To: PWS > >>Subject: [pws] ComSwiki with SSL > >> > >> > >>Can anybody tell me if its possible to run ComSwiki with a > >>secure link using SSL? If so, can you suggest how to do this > >>with Windows (NT or 2000)? > >> > >>Thanks, > >>Glenn > >> > >> > >> > >> > > > > > > > > > > > > -- Peter Burkholder, System Administrator Digital Library for Earth System Education (DLESE) [EMAIL PROTECTED] DLESE Program Center (DPC) ~~~ ~~ ~~~~ __o UCAR/DPC, P.O. Box 3000 Ph) 303-497-2663 ~~~ ~~~~ ~~ _`\<,_ Boulder, CO 80307-3000 Fx) 303-497-8336 ~~~~ ~~~ ~~~~ (*)/ (*)