Webpage over SSL timing out?
I appologize if this posting appears twice. :) Hi, We have a webserver that is serving image (gif/jpg) file over SSL. I am using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not include any other module. The webserver seems to work fine. However if a webpage has mutiple image files, not all the image files load, and "broken image icons" are shown instead. Seems like the SSL/HTTP connection is timing out. Is there a way to increase this timeout period. I don't mind if take a little longer to load the page, but the user should see all the image file. Another alternative is to use a HW based SSL solution like nCipher's CHIL. But I want to make that the last option, since I dont want to re-configure the HW/application on the server. Any ideas on how other sites handle image files over SSL. I need the image file over SSL, because they are scanned images of confidential information. Thanks. Sarah. _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, 7 Oct 2003, Sarah Haff wrote: > We have a webserver that is serving image (gif/jpg) file over SSL. I am > using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not > include any other module. > > The webserver seems to work fine. However if a webpage has mutiple image > files, not all the image files load, and "broken image icons" are shown > instead. Seems like the SSL/HTTP connection is timing out. Is there a way to > increase this timeout period. I don't mind if take a little longer to load > the page, but the user should see all the image file. This is actually most likely a problem with either SSL session caching or with "keepalive" HTTP requests. What settings are you using for the SSLSessionCache directive? Does this only happen with Internet Explorer? If so, are you using the SetEnvIf directive suggested at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#msie ? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
This is actually most likely a problem with either SSL session caching or with "keepalive" HTTP requests. What settings are you using for the SSLSessionCache directive? Does this only happen with Internet Explorer? If so, are you using the SetEnvIf directive suggested at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#msie ? Cliff, Thanks for the response. The problems happens with Mozilla and IE. Here is my SSLCache setting in ssl.conf SSLSessionCacheshmcb:logs/ssl_scache(512000) #SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 1300 and httpd.conf # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On Thanks. Sarah. _ Instant message in style with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Correction: Apache_1.3.28-Mod_SSL_2.8.15-Opensss_0.9.7c.zip
To all windows users of my Apache Windows builds: If you downloaded Apache_1.3.28-Mod_SSL_2.8.15-Opensss_0.9.7c.zip between Oct 1 and Oct 7 you have downloded the previous build due to a *dumb* build error. After Oct 7 the zip has been properly made. You can check your code by looking at the dates of the binaries - they should be Oct 1 and not Jul 16, but the binaries in the new package are Oct 7. My appologies for any inconvenience this may have caused. Following the last fix from OpenSSL both versions of Apache have been updated. You have a choice of two sites: http://hunter.campbus.com/Apache_1.3.28-Mod_SSL_2.8.25-OpenSSL_0.9.7c-Win32.zip http://hunter.campbus.com/Openssl-0.9.7c-Win32.zip http://hunter.campbus.com/Apache_2.0.47-OpenSSL_0.9.7c-Win32.zip My personal web server (a little bit slow) but all previous releases are there and so are the MD5's. http://tor.ath.cx/~hunter/apache/ If you have any problems contact me on the list, or theantigod (AT) sympatico.ca BTW: my personal account: hunter (AT) tor.ath.cx is being blocked by my ISP (Sympatico.ca) Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, Oct 07, 2003 at 03:17:49PM -0700, Sarah Haff wrote: > We have a webserver that is serving image (gif/jpg) file over SSL. I am > using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not > include any other module. > > The webserver seems to work fine. However if a webpage has mutiple image > files, not all the image files load, and "broken image icons" are shown > instead. Seems like the SSL/HTTP connection is timing out. Is there a way > to increase this timeout period. I don't mind if take a little longer to > load the page, but the user should see all the image file. Check Cliffs suggestions about SSLSessionCache (the shm type is preferable for performance reasons). Other suggestions could be turning on keepalives and possibly to remove some of the weaker cipher options from SSLCipherSuite. > > Another alternative is to use a HW based SSL solution like nCipher's CHIL. > But I want to make that the last option, since I dont want to re-configure > the HW/application on the server. > How does the cpu usage look on the server? If the load isn't high, then you probably won't win much with an ssl accelerator. > Any ideas on how other sites handle image files over SSL. I need the image > file over SSL, because they are scanned images of confidential information. > Just like any other file type - apache doesn't really care what it is. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, Oct 07, 2003 at 04:00:11PM -0700, Sarah Haff wrote: > Here is my SSLCache setting in ssl.conf > SSLSessionCacheshmcb:logs/ssl_scache(512000) > #SSLSessionCache dbm:logs/ssl_scache > SSLSessionCacheTimeout 1300 > Looks ok - you could try confirming that session caching works by using the command: openssl s_client -connect HOST:PORT -reconnect > and httpd.conf > # > # Timeout: The number of seconds before receives and sends time out. > # > Timeout 300 > > # > # KeepAlive: Whether or not to allow persistent connections (more than > # one request per connection). Set to "Off" to deactivate. > # > KeepAlive On > This might be diabled elsewhere by something like (from the std config): SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 You could try without it and see if it helps. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
Thanks for the reply Tuftom, What is the difference between "shmht" and "shmcb" ? #SSLSessionCacheshmht:logs/ssl_scache(512000) SSLSessionCacheshmcb:logs/ssl_scache(512000) i ran the openssl s_client -connect HOST:PORT -reconnect command The difference between the cache and non-cached connection was: multiple lines of New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA (with caching disabled) vs Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA (with caching enabled) So i guess "Reused" says the caching is working. Am I right? Thanks Sarah. _ Instant message in style with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
Other suggestions could be turning on keepalives and possibly to remove some of the weaker cipher options from SSLCipherSuite. How does removing weaker cipher improve the performance. How does the cpu usage look on the server? If the load isn't high, then you probably won't win much with an ssl accelerator. It is a quad CPU server 2.8 Ghz, so the max CPU usage goes to 10% per CPU. Thanks for all the help. Sarah _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
Bit of a "me too" here. Just today I noticed an issue whereby running a PHP web page that does LDAP queries across our WAN was hanging forever (not an SSL issue BTW - bad LDAP server). I hit the "Stop" button and tried reloading to have another go - and the browser's "swirly thing" swirled away forever - after ten minutes it was still going. A sniffer shows HTTPS traffic between my workstation and the server - but the server never attempted the second LDAP call - which makes me think the request never happened (i.e. something got stuck in SSL land) In the end the only fix was to either kill the browser, or restart the httpd server. That was Mozilla 1.5 under Redhat 8 talking to Apache 1.3.27/mod_ssl-2.8.12-2 Timeout 300 KeepAliveTimeout 15 SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 > openssl s_client -connect HOST:PORT -reconnect That appears to work fine here too - I get the "reused" line... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
