RE: SSL Performance Problem
Andre, 1) SSL HttpClient is reliant upon Sun's JSSE implementation (alternative SSL implementation can also be plugged-in with a bit of coding) to provide SSL transport encryption. From the HttpClient's standpoint HTTP does not differ much from HTTPS (if at all) once communication socket has been open. You might want to use raw SSL socket in order to establish a base-line for your measurements 2) 'Expect: 10-continue' RFC2616 does not really provide any guidelines as to when the handshake should or should not be used or what is considered to be normal or abnormal circumstances. Any HTTP/1.1 compliant server or proxy MUST be prepared to deal with it at any time. Therefore 2.0alpha3 does enable 'Expect: 10-continue' per default. However, the handshake has been causing massive problems with HTTP/1.0 proxies, so we have decided to disable it per default. The user can still enable/disable 'Expect: 10-continue' handshake for any given entity enclosing method. Cheers Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 15:59 To: '[EMAIL PROTECTED]' Subject: SSL Performance Problem HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct me If I´m wrong. I´m using 2.0-alpha3-dev. Thanks in advance, Andre Augusto TCO Celular - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Performance Problem
Hello André, Unfortunately it seems that the attachments were stipped from your message. Jeff, Oleg do you have any idea how we can get this fixed? I'm guessing the poor performance with SSL is due to the Expect: 100-continue header. Try calling setUseExpectHeader(false) on the post method. I would also suggest using the latest code from CVS or a nightly build. Mike André Augusto de Oliveira Aragão wrote: HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct me If I´m wrong. I´m using 2.0-alpha3-dev. Thanks in advance, Andre Augusto TCO Celular - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Performance Problem
Thanks Michael, I´m trying to send it again, this time as zip file. About the poor performance, I'm measuring time only after receiving the 100 server response, in the second step of the handshaking process. In the C++ version I have, I don´t know if it does or not the 100 handshaking - I don't have the code. Anyway, it´s much faster, and I don´t believe it´s because it´s implemented in java. The http version has similar times in the java and C++ version. Can you point me a similar jsse implementation? What about the constant times? It´s the weird thing. It takes the same time in the first part of the negotiation, when it send the 100 header, and in the second part - actually when the request is processed in the server. Any explanations? Regards, Andre -Original Message- From: Michael Becke [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 11:39 To: Commons HttpClient Project Subject: Re: SSL Performance Problem Hello André, Unfortunately it seems that the attachments were stipped from your message. Jeff, Oleg do you have any idea how we can get this fixed? I'm guessing the poor performance with SSL is due to the Expect: 100-continue header. Try calling setUseExpectHeader(false) on the post method. I would also suggest using the latest code from CVS or a nightly build. Mike André Augusto de Oliveira Aragão wrote: HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct me If I´m wrong. I´m using 2.0-alpha3-dev. Thanks in advance, Andre Augusto TCO Celular - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Performance Problem
Andre Recently there has been an SSL vulnerability discovered related (very roughly put) to the time it takes the server respond to an invalid authentication request. For more details refer to http://lasecwww.epfl.ch/memo_ssl.shtml I would not be too surprised if newer SSL implementation developed some pre-emptive measures against similar exploits by trying to equalize response time. It's just a wild guess on my part. By no means being a security expert I may be wrong about it. Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 16:55 To: 'Commons HttpClient Project' Cc: '[EMAIL PROTECTED]' Subject: RE: SSL Performance Problem Thanks Michael, I´m trying to send it again, this time as zip file. About the poor performance, I'm measuring time only after receiving the 100 server response, in the second step of the handshaking process. In the C++ version I have, I don´t know if it does or not the 100 handshaking - I don't have the code. Anyway, it´s much faster, and I don´t believe it´s because it´s implemented in java. The http version has similar times in the java and C++ version. Can you point me a similar jsse implementation? What about the constant times? It´s the weird thing. It takes the same time in the first part of the negotiation, when it send the 100 header, and in the second part - actually when the request is processed in the server. Any explanations? Regards, Andre -Original Message- From: Michael Becke [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 11:39 To: Commons HttpClient Project Subject: Re: SSL Performance Problem Hello André, Unfortunately it seems that the attachments were stipped from your message. Jeff, Oleg do you have any idea how we can get this fixed? I'm guessing the poor performance with SSL is due to the Expect: 100-continue header. Try calling setUseExpectHeader(false) on the post method. I would also suggest using the latest code from CVS or a nightly build. Mike André Augusto de Oliveira Aragão wrote: HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct me If I´m wrong. I´m using 2.0-alpha3-dev. Thanks in advance, Andre Augusto TCO Celular - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Performance Problem
Stupid me ;-) Actually HttpClient uses 3000ms timeout when expecting 100 (CONTINUE) status code. That has nothing to do with SSL and all my conspiracy theories. As now 'expect: 100-continue' is disabled per default, HttpClient treats all 100 status codes it receives as unexpected. This is perfectly ok. Some HTTP servers do send 100 (CONTINUE) status code even if they are not asked to do so. Are you using Jetty by any chance? Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 17:24 To: 'Commons HttpClient Project' Subject: RE: SSL Performance Problem HI! I got the latest nightly build. The times are no more constant, and the performance is now ok. There is a new message in the log: org.apache.commons.httpclient.HttpMethod - Discarding unexpected response: HTTP/1.1 100 Continue Why is it discarding? Is the server sending me this anyway, or the httpclient is sending the header Expect 100: continue with my post data? Best regards, Andre -Original Message- From: Kalnichevski, Oleg [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 12:14 To: Commons HttpClient Project Subject: RE: SSL Performance Problem Andre Recently there has been an SSL vulnerability discovered related (very roughly put) to the time it takes the server respond to an invalid authentication request. For more details refer to http://lasecwww.epfl.ch/memo_ssl.shtml I would not be too surprised if newer SSL implementation developed some pre-emptive measures against similar exploits by trying to equalize response time. It's just a wild guess on my part. By no means being a security expert I may be wrong about it. Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 16:55 To: 'Commons HttpClient Project' Cc: '[EMAIL PROTECTED]' Subject: RE: SSL Performance Problem Thanks Michael, I´m trying to send it again, this time as zip file. About the poor performance, I'm measuring time only after receiving the 100 server response, in the second step of the handshaking process. In the C++ version I have, I don´t know if it does or not the 100 handshaking - I don't have the code. Anyway, it´s much faster, and I don´t believe it´s because it´s implemented in java. The http version has similar times in the java and C++ version. Can you point me a similar jsse implementation? What about the constant times? It´s the weird thing. It takes the same time in the first part of the negotiation, when it send the 100 header, and in the second part - actually when the request is processed in the server. Any explanations? Regards, Andre -Original Message- From: Michael Becke [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 11:39 To: Commons HttpClient Project Subject: Re: SSL Performance Problem Hello André, Unfortunately it seems that the attachments were stipped from your message. Jeff, Oleg do you have any idea how we can get this fixed? I'm guessing the poor performance with SSL is due to the Expect: 100-continue header. Try calling setUseExpectHeader(false) on the post method. I would also suggest using the latest code from CVS or a nightly build. Mike André Augusto de Oliveira Aragão wrote: HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct me If I´m wrong. I´m using 2.0-alpha3-dev. Thanks in advance, Andre Augusto TCO Celular
Re: SSL Performance Problem
Yes, it was definitely the 100-continue that was causing the problem. 3000ms seemed like and awfully round number:) André, you should not need to handle the 100 status response in your code anymore. This value should no longer be returned by the method. Mike Kalnichevski, Oleg wrote: Stupid me ;-) Actually HttpClient uses 3000ms timeout when expecting 100 (CONTINUE) status code. That has nothing to do with SSL and all my conspiracy theories. As now 'expect: 100-continue' is disabled per default, HttpClient treats all 100 status codes it receives as unexpected. This is perfectly ok. Some HTTP servers do send 100 (CONTINUE) status code even if they are not asked to do so. Are you using Jetty by any chance? Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 17:24 To: 'Commons HttpClient Project' Subject: RE: SSL Performance Problem HI! I got the latest nightly build. The times are no more constant, and the performance is now ok. There is a new message in the log: org.apache.commons.httpclient.HttpMethod - Discarding unexpected response: HTTP/1.1 100 Continue Why is it discarding? Is the server sending me this anyway, or the httpclient is sending the header Expect 100: continue with my post data? Best regards, Andre -Original Message- From: Kalnichevski, Oleg [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 12:14 To: Commons HttpClient Project Subject: RE: SSL Performance Problem Andre Recently there has been an SSL vulnerability discovered related (very roughly put) to the time it takes the server respond to an invalid authentication request. For more details refer to http://lasecwww.epfl.ch/memo_ssl.shtml I would not be too surprised if newer SSL implementation developed some pre-emptive measures against similar exploits by trying to equalize response time. It's just a wild guess on my part. By no means being a security expert I may be wrong about it. Oleg -Original Message- From: André Augusto de Oliveira Aragão [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. April 2003 16:55 To: 'Commons HttpClient Project' Cc: '[EMAIL PROTECTED]' Subject: RE: SSL Performance Problem Thanks Michael, I´m trying to send it again, this time as zip file. About the poor performance, I'm measuring time only after receiving the 100 server response, in the second step of the handshaking process. In the C++ version I have, I don´t know if it does or not the 100 handshaking - I don't have the code. Anyway, it´s much faster, and I don´t believe it´s because it´s implemented in java. The http version has similar times in the java and C++ version. Can you point me a similar jsse implementation? What about the constant times? It´s the weird thing. It takes the same time in the first part of the negotiation, when it send the 100 header, and in the second part - actually when the request is processed in the server. Any explanations? Regards, Andre -Original Message- From: Michael Becke [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de abril de 2003 11:39 To: Commons HttpClient Project Subject: Re: SSL Performance Problem Hello André, Unfortunately it seems that the attachments were stipped from your message. Jeff, Oleg do you have any idea how we can get this fixed? I'm guessing the poor performance with SSL is due to the Expect: 100-continue header. Try calling setUseExpectHeader(false) on the post method. I would also suggest using the latest code from CVS or a nightly build. Mike André Augusto de Oliveira Aragão wrote: HI! I think httpclient is having a strange behavior. I´m developing a software that, among other things, must make performance measurements on web sites. I have a site called https://callcenter.tco.net.br. This site uses, as you can see SSL. And I also have this site in a non ssl version - http://www.tco.net.br/col. When I try to measure performance in the https://callcenter.tco.net.br, I get always 3000 ms. I can run a dozen times, and I get it over and over (with the log turned off), with very small changes - about 4 ms. It´s very strange. This time is measured only in the second post interaction, ie, in the reply to the 100-continue server response. When I use the non-ssl version, the time changes at each try, as expected. Other problem is the performance. When I use the non-ssl version, the time changes from 800 ms to 1200 ms. Using the https, it´s always 3000 ms. I have a similar function wrote in C++, and I get similar times using http or https. Well, https sometimes get to 1500 ms, but generally speaking, the degradation is not sensible. I´m sending my code, and the log generated for both situations, using the https and the http site. Another question: Why the httpclient always add the Expect: 100-continue header? Is it part of the http spec? As I know, it should not be used on normal situations, ie, when you have a small post to do to the server. Correct
Re: SSL Performance Problem
This may be getting fixed soon. See the bugtrack item for Jetty: http://sourceforge.net/tracker/index.php?func=detailaid=699011group_id=732 2atid=107322 The item remains open, and greg is normally pretty good about closing things when they're done. Cheers, Simon - Original Message - From: Oleg Kalnichevski [EMAIL PROTECTED] To: Commons HttpClient Project [EMAIL PROTECTED] Sent: Friday, April 04, 2003 6:22 AM Subject: RE: SSL Performance Problem Andre, I know for sure Jetty server always sends 100 status code when processing POST HTTP/1.1 regardless of 'expect: 100-continue' header being present or not. So, it was my guess you were using Jetty Oleg On Thu, 2003-04-03 at 20:09, André Augusto de Oliveira Aragão wrote: Oleg, I'm not using Jetty, at least not in this project. The server I'm monitoring is M$ IIS. Why are you asking? Andre - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
