Re: Setting x509 Certificate algorithm

2011-04-27 Thread Mike Markley 
That did it! Thank you, I'm neck deep into code that I don't fully
understand, I greatly appreciate the help.

Mike

On Wed, Apr 27, 2011 at 3:54 PM, re est  wrote:
> Hi,
> Have you tried changing this
>         if (!X509_sign(x,pk,EVP_sha1()))
> to
>         if (!X509_sign(x,pk,EVP_sha256()))
>
>
> On Thu, Apr 28, 2011 at 4:13 AM, Mike Markley  wrote:
>>
>> I am creating a self signed x509 certificate using code based on the
>> mkcert.c sample code included in the OpenSSL demo sources. I need to
>> set the algorithm to sha256WithRSAEncryption and I cannot figure out
>> how to do this with the APIs. I always end up with
>> sha1WithRSAEncryption. Am I trying to do the impossible here?
>>
>> Thanks,
>> Mike
>> m...@buddytv.com
>> __
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@openssl.org
>> Automated List Manager                           majord...@openssl.org
>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Setting x509 Certificate algorithm

2011-04-27 Thread re est 
Hi,

Have you tried changing this
if (!X509_sign(x,pk,EVP_sha1()))

to
if (!X509_sign(x,pk,EVP_sha256()))



On Thu, Apr 28, 2011 at 4:13 AM, Mike Markley  wrote:

> I am creating a self signed x509 certificate using code based on the
> mkcert.c sample code included in the OpenSSL demo sources. I need to
> set the algorithm to sha256WithRSAEncryption and I cannot figure out
> how to do this with the APIs. I always end up with
> sha1WithRSAEncryption. Am I trying to do the impossible here?
>
> Thanks,
> Mike
> m...@buddytv.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

RE: openssl dgst using ecdsa-with-SHA384

2011-04-27 Thread Shelley, Mike 
Thanks for the response, using -sha384 appears to be working and
verifies correctly.

Mike

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Sunday, April 24, 2011 4:17 AM
To: openssl-users@openssl.org
Subject: Re: openssl dgst using ecdsa-with-SHA384

On Wed, Apr 20, 2011, Shelley, Mike wrote:

> Hi all,
> 
>  
> 
> I'm having a problem using ecdsa with SHA 384 when creating a message
> digest.  I will admit I'm not too familiar with openssl and digests,
but
> I have code that works using -ecdsa-with-SHA1.  I need to change that
to
> use ecdsa-with-SHA384.  I looked at the release notes to see that this
> should be supported with openssl version 1.1.0 and later, but I've
tried
> that version as well as the latest 1.0.0d, and get a "unknown option
> '-ecdsa-with-SHA384' "
> 
>  
> 
> The command I use is:
> 
> /usr/local/openssl/bin/openssl dgst -ecdsa-with-SHA384 -binary -out
> signersCertDgst.tmp x509/public.pem
> 
>  
> 
> This same command works when using -ecdsa-with-SHA1
> 
>  
> 
> I've looked at the openssl source and it appears to support the
> -ecdsa-with-SHA384, but it's not straight forward to trace it through
> the source code.
> 
>  
> 
> Has anyone gotten this to work?  Am I doing something wrong?  I assume
> -sha384 is different than -ecdsa-with-SHA384.  
> 

Actually that's how you do it use -sha384 and use an EC key to sign the
result.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: slow https conenctions

2011-04-27 Thread Eric S. Eberhard 
I suspect client behavior is incorrect.  It could have to do with 1.1 
HTTP, especially if client is PHP (because of 100 continue 
problems).  There are several other documented delays including a 15 
second default keep alive.  There is also a cURL problem that can 
cause this on the client side.


http://curl.haxx.se/mail/curlphp-2005-01/0011.html
http://php.net/manual/en/function.file-get-contents.php

Eric




At 03:06 AM 4/26/2011, Matthew Fletcher wrote:

Hi,

I've come to this list in search of help with slow https conenctions 
(via the subversion, apache and finally mod_ssl lits).


There is a 15 second ish delay whenever a client connects using 
https, i've tracked this down in the logs to the snippet shown.


-- snip --
[Thu Apr 21 11:21:49 2011] [info] Connection: Client IP: 127.0.0.1, 
Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Thu Apr 21 11:22:07 2011] [debug] ssl_engine_io.c(1889): OpenSSL: 
read 5/5 bytes from BIO#c99cd0 [mem: ca14b0] (BIO dump follows)

-- end --

But i really dont know how to get any further. This machine is 
pretty powerful, quad 3ghz xeon etc.


Full log from startup bellow,.. any help / ideas much appreciated.

[Thu Apr 21 11:21:16 2011] [info] Init: Initializing (virtual) servers for SSL
[Thu Apr 21 11:21:16 2011] [info] Configuring server for SSL protocol
[Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(465): Creating 
new SSL context (protocols: SSLv3, TLSv1)
[Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(661): 
Configuring permitted SSL ciphers 
[ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM]
[Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(420): 
Configuring TLS extension handling
[Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(792): 
Configuring RSA server certificate
[Thu Apr 21 11:21:16 2011] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(831): 
Configuring RSA server private key
[Thu Apr 21 11:21:16 2011] [info] mod_ssl/2.2.17 compiled against 
Server: Apache/2.2.17, Library: OpenSSL/0.9.8r

[Thu Apr 21 11:21:16 2011] [notice] Child 3268: Child process is running
[Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(408): Child 3268: 
Retrieved our scoreboard from the parent.
[Thu Apr 21 11:21:16 2011] [info] Parent: Duplicating socket 276 and 
sending it to child process 3268
[Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(605): Parent: Sent 1 
listeners to child 3268
[Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(564): Child 3268: 
retrieved 1 listeners from parent

[Thu Apr 21 11:21:16 2011] [notice] Child 3268: Acquired the start mutex.
[Thu Apr 21 11:21:16 2011] [notice] Child 3268: Starting 64 worker threads.
[Thu Apr 21 11:21:16 2011] [notice] Child 3268: Listening on port 443.
[Thu Apr 21 11:21:49 2011] [info] [client 127.0.0.1] Connection to 
child 0 established (server pl161.serck-uk.internal:443)

[Thu Apr 21 11:21:49 2011] [info] Seeding PRNG with 144 bytes of entropy
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_kernel.c(1866): 
OpenSSL: Handshake: start
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_kernel.c(1874): 
OpenSSL: Loop: before/accept initialization
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1889): OpenSSL: 
read 11/11 bytes from BIO#c99cd0 [mem: ca14b0] (BIO dump follows)
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1822): 
+-+
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | : 16 
03 01 00 df 01 00 00-db 03 01 ...  |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1867): 
+-+
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1889): OpenSSL: 
read 217/217 bytes from BIO#c99cd0 [mem: ca14bb] (BIO dump follows)
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1822): 
+-+
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | : 4d 
b0 05 3d 24 b5 92 40-cb c0 c7 84 df 99 b8 2f  M..=$..@.../ |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0010: 1c 
49 78 19 74 74 b3 0d-3f 89 d3 3d 7a 90 7c 50  .Ix.tt..?..=z.|P |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0020: 00 
00 5c c0 14 c0 0a 00-39 00 38 00 88 00 87 c0  ..\\.9.8. |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0030: 0f 
c0 05 00 35 00 84 c0-12 c0 08 00 16 00 13 c0  5... |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0040: 0d 
c0 03 00 0a c0 13 c0-09 00 33 00 32 00 9a 00  ..3.2... |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0050: 99 
00 45 00 44 c0 0e c0-04 00 2f 00 96 00 41 00  ..E.D./...A. |
[Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0060: 07 
c0 11 c0 07 c0 0c c0-02 00 05 00 04 00 15 00   |
[Thu Apr 21 11:21:49 2011] [debug] ssl_eng

Re: Re: Compile OpenSSL with minimum modules

2011-04-27 Thread derleader mail 
  >>  Hi,
 >>I need to compile OpenSSL only with support for Symmetric 
 >> encryption - only 3DES support. How I can remove all unneeded stuff? 
 >> Can you give an advice what to remove and how to remove it?
 >
 >
 >I suppose one approach would be to run a test suite that does just what 
 >you need (and everything you need) with a debug build of openssl, and 
 >run it under a code profiler (such as Intel's VTune), iterate this 
 >sufficiently to get adequate code coverage, then seen what big chunks 
 >DONT get touched, and add #IF's around them to block them out, rebuild, 
 >and iterate until it meets your requirements.
 >
 
Thank you for the reply!

Unfortunately I'm working with C from several weels. Can you explain me this in 
more details how to do this?

Regards
Peter

Re: Compile OpenSSL with minimum modules

2011-04-27 Thread John R Pierce 

On 04/27/11 12:39 PM, derleader mail wrote:

 Hi,
   I need to compile OpenSSL only with support for Symmetric 
encryption - only 3DES support. How I can remove all unneeded stuff? 
Can you give an advice what to remove and how to remove it?



I suppose one approach would be to run a test suite that does just what 
you need (and everything you need) with a debug build of openssl, and 
run it under a code profiler (such as Intel's VTune), iterate this 
sufficiently to get adequate code coverage, then seen what big chunks 
DONT get touched, and add #IF's around them to block them out, rebuild, 
and iterate until it meets your requirements.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Setting x509 Certificate algorithm

2011-04-27 Thread Mike Markley 
I am creating a self signed x509 certificate using code based on the
mkcert.c sample code included in the OpenSSL demo sources. I need to
set the algorithm to sha256WithRSAEncryption and I cannot figure out
how to do this with the APIs. I always end up with
sha1WithRSAEncryption. Am I trying to do the impossible here?

Thanks,
Mike
m...@buddytv.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: slow https conenctions

2011-04-27 Thread Alan Buxey 
Hi,

> Thanks for the input guys, however the 15 second pause exists even if i 
> explicitly disable reverse lookups in apache 'Hostnamelookups Off' in 
> httpd.conf and my server is operating on an internal network in a company so 
> although i cant say for sure i doubt there is much IPV6 stuff around.

the debug will probably show you this - but I dont think its a server
issue per se - its an issue at the client end.  check the behaviour
and environment of the end client 

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Compile OpenSSL with minimum modules

2011-04-27 Thread derleader mail 
 
Hi,


 I need to compile OpenSSL only with support for Symmetric encryption - only 
3DES support. How I can remove all unneeded stuff? Can you give an advice what 
to remove and how to remove it?

Regards
Peter

New User Problem

2011-04-27 Thread FBE 

Dear OpenSSL Community,

I am a new user of OpenSSL and have a pretty simple question.  I'm 
trying to create a self-signed certificate and so far has done the 
following.

Step 1)>openssl genrsa -des3 -out server1.key 1024
Step 2)This asked for a password and I made a password "asdf"
Step 3) >openssl req -key server1.key -out server1.csr
Step 4)At the first prompt, I typed in "asdf" and pressed enter.  
Nothing happens.  I keep pressing enter and then mash they keyboard 
until this message appears "unable to load X509 request 
6416:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:.\crypto\pem_lib.c:642:Expecting: CERTIFICATE REQUEST"
Step 5) I retired the above command except with the wrong password 
"asdfg" and it looks like I had a bad decrypt error message


Can someone tell me if I'm doing anything wrong when creating a simple 
self-signed certificate so far?
I am using Windows Vista as my OS with Win32 OpenSSL v1.0.0d and Visual 
C++ 2008 Redistributables
downloaded from this site: 
http://www.slproweb.com/products/Win32OpenSSL.html


Thank you for any help you can provide.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: slow https conenctions

2011-04-27 Thread Jim Segrave 

Matthew Fletcher wrote:

Hi,

Thanks for the input guys, however the 15 second pause exists even if i 
explicitly disable reverse lookups in apache 'Hostnamelookups Off' in 
httpd.conf and my server is operating on an internal network in a company so 
although i cant say for sure i doubt there is much IPV6 stuff around.

Does anyone how how i would establish if there was a DNS related delay ? some 
tool that could test DNS and name lookup speeds ? i am a software guy trying to 
use SVN not a network guy



tcpdump/wireshark/ethereal to watch what packets are sent, where and 
with what timings. The fact it works with a non-SSL connection means 
little, as the non-SSL connection won't be trying to do a reverse lookup 
to see if the certficate name matches the name bound to the IP address

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: slow https conenctions

2011-04-27 Thread Steffen DETTMER 
* Matthew Fletcher, Wednesday, April 27, 2011 12:40 PM
> I guess that does not 100% rule out DNS/Network stuff, as SSL 
> could be doing extra network lookups. 
> 
> Are there any more SSL diagnostics i can enable to try and 
> pinpoint the problem ?

maybe checking with strace -ttt -p ... which operation takes so long?

oki,

Steffen

 
About Ingenico: Ingenico is a leading provider of payment, transaction and 
business solutions, with over 15 million terminals deployed in more than 125 
countries. Over 3,000 employees worldwide support merchants, banks and service 
providers to optimize and secure their electronic payments solutions, develop 
their offer of services and increase their point of sales revenue. 
http://www.ingenico.com/.
 This message may contain confidential and/or privileged information. If you 
are not the addressee or authorized to receive this for the addressee, you must 
not use, copy, disclose or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.
 P Please consider the environment before printing this e-mail
 
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: slow https conenctions

2011-04-27 Thread Matthew Fletcher 
Hi,

Just to test if my slowness is SSL or DNS/Network related i switched the server 
in http mode and got the guys to re-connect. Connection times are now 
sub-second. So my slowness is definatly https / SSL related.

I guess that does not 100% rule out DNS/Network stuff, as SSL could be doing 
extra network lookups. 

Are there any more SSL diagnostics i can enable to try and pinpoint the problem 
?


regards
 
Matthew J Fletcher

**
Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK
A company registered in England Reg. No. 4353634
Tel: +44 (0) 24 7630 5050   Fax: +44 (0) 24 7630 2437
Web: www.serck-controls.com  Admin: p...@serck-controls.co.uk
A subsidiary of Schneider Electric. 
**
This email and files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 
the above. Any views or opinions presented are those of the author 
and do not necessarily represent those of Serck Controls Ltd. 

This message has been scanned for malware by Mailcontrol. www.Mailcontrol.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Binding outgoing SSL connection to certain IP address

2011-04-27 Thread Michael Ionescu | Karlsruhe 
Hi all,

I've been looking for a way to bind the openssl s_client command line
tool to a certain outgoing IP on a multi-IP host and all I've found was
a thread on how to do that using the library:
http://marc.info/?l=openssl-users&m=127166957110771&w=2

Is there maybe some obscure bind option the likes of
netcat -s 192.168.5.1 mx.example.com 25
to accomplish this?

What I'm trying to do is check the TLS cert on mx.example.com where this
MX only accepts connections from a secondary IP of the host I'm coming
from, as I would by saying
openssl s_client -showcerts -CApath /etc/postfix/tls/cacerts.d/
-starttls smtp -connect mx.example.com:25

I was hoping for was an option such as
openssl s_client -s 192.168.5.1
or
openssl s_client -bind 192.168.5.1
but I guess not.

Did I miss it? Is it just undocumented? Do I have to build a non-vanilla
openssl s_client? Is there a way to connect the vanilla client through
another tool?

Thanks,
Mike

Re: issue with p12 creation and network solutions EV SSL

2011-04-27 Thread Rob Stradling 
On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote:
> Hi James,
> 
> I got the the correct certificate chain from my Windows 7 box. Microsoft
> tends to update its trusted CA certificates store more quickly and
> regularly than Mozilla or Linux distros: the latest update was last
> month on March 23rd 2011.
> It is sad that even Network Solutions guys are not aware of this
> update...This issue should not have existed at the first place!

Mounir, I don't think Microsoft's March 23rd Auto Root Update is actually 
relevant here.  It didn't change any Root Certificates that NetSol's cert 
chains use, AFAIK.

Your Windows 7 box was able to build the chain because CryptoAPI chases AIA-
>caIssuers URLs.  Firefox doesn't do this.  If it did, James wouldn't have 
noticed any problem in the first place.


James, I see that your server is now sending the correct chain.  A tip: you 
don't have to send the self-signed Root Certificate (Subject and Issuer = 
AddTrust External CA Root).  Each client either already trusts it (in which 
case there's no point sending it) or it doesn't already trust it (in which 
case there's no point sending it, because sending it won't make it magically 
become trusted).

 
> Good luck,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> On 4/26/2011 7:07 PM, James Chase wrote:
> > You've got the wrong chain file.  I understand that NetSol
> > switched to a new
> > EV Issuing CA a few months ago.  Are you definitely using the
> > chain file that
> > they supplied with your latest site cert?
> > 
> > I am using the chain file that they suggest downloading which already
> > has the intermediate files concatenated into a file -- but apparently
> > it is wrong. I checked the .crt file that they include with my site
> > certificate and they are the same certs that are in the chain file
> > they have precompiled. I can't believe how much time I have spent on
> > this issue and could the root of the issue be that they are not
> > packaging the right files with my new certificate? wtf
> > 
> > Mounir, where did you get those certificates?? The only cert that you
> > used that came with my certificate is the last one,
> > AddTrustExternalCARoot -- the other two are NOT included and are not
> > in NetSol's precompiled chain file. Your chain file works when I test
> > with apache, and I have just created a p12 from those chain files and
> > that works too! Halellujah.
> > 
> > But seriously, how did you synthesize that chain file? And how would I
> > be expected to create that on my own?? I spent an hour and a half on
> > the phone with NetSol telling them their was something wrong with
> > their files and they just kept saying it was my fault and they will
> > bill me $120/hour to fix it.
> > 
> > > On Tue, Apr 26, 2011 at 8:19 AM, James Chase
> > 
> > mailto:chase1...@gmail.com>> wrote:
> > > > Well my results are quite different, and I guess point to my
> > 
> > p12 not
> > 
> > > > being correctly created. Strangely, the p12 I am running this
> > 
> > test on
> > 
> > > > works in production and doesn't produce a warning (I
> > 
> > re-created last
> > 
> > > > years certificate as a new p12 using the same process I am
> > 
> > trying with
> > 
> > > > this years).
> > > > 
> > > > I also tried running this on my test apache site, where I am
> > 
> > just using
> > 
> > > > the plain old certificate, key and network solutions supplied
> > 
> > chain file
> > 
> > > > -- and the openssl s_client command returns better output but
> > 
> > I still
> > 
> > > > get a warning!
> > > > 
> > > > [me@myserver ~]$ openssl s_client -connect www.example.com:443
> > 
> > 
> > 
> > > > CONNECTED(0003)
> > > > depth=0 /serialNumber=03-11-
> > 
> > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset
> > ts/1
> > 
> > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
> > 
> > =V1.0, Clause
> > 
> > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
> > 
> > Park St/O=A
> > 
> > > > Company International Ltd
> > > > verify error:num=20:unable to get local issuer certificate
> > > > verify return:1
> > > > depth=0 /serialNumber=03-11-
> > 
> > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset
> > ts/1
> > 
> > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
> > 
> > =V1.0, Clause
> > 
> > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
> > 
> > Park St/O=A
> > 
> > > > Company International Ltd
> > > > verify error:num=27:certificate not trusted
> > > > verify return:1
> > > > depth=0 /serialNumber=03-11-
> > 
> > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.

RE: slow https conenctions

2011-04-27 Thread Matthew Fletcher 
Hi,

Thanks for the input guys, however the 15 second pause exists even if i 
explicitly disable reverse lookups in apache 'Hostnamelookups Off' in 
httpd.conf and my server is operating on an internal network in a company so 
although i cant say for sure i doubt there is much IPV6 stuff around.

Does anyone how how i would establish if there was a DNS related delay ? some 
tool that could test DNS and name lookup speeds ? i am a software guy trying to 
use SVN not a network guy



regards
 
Matthew J Fletcher

 
 

> -Original Message-
> From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] 
> Sent: 26 April 2011 23:05
> To: openssl-users@openssl.org
> Cc: Matthew Fletcher
> Subject: Re: slow https conenctions
> 
> Hi,
> > On 04/26/11 3:06 AM, Matthew Fletcher wrote:
> > > I've come to this list in search of help with slow https 
> conenctions (via the subversion, apache and finally mod_ssl lits).
> > >
> > > There is a 15 second ish delay whenever a client connects using 
> > > https,
> > 
> > 15 seconds sounds to *me* like a DNS related timeout.  perhaps the 
> > server is doing a reverse lookup on the client?
> 
> ...or is getting a  record, trying to connect to that 
> IPv6 addressand failing, then falling back to IPv4
> 
> alan
> 

**
Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK
A company registered in England Reg. No. 4353634
Tel: +44 (0) 24 7630 5050   Fax: +44 (0) 24 7630 2437
Web: www.serck-controls.com  Admin: p...@serck-controls.co.uk
A subsidiary of Schneider Electric. 
**
This email and files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 
the above. Any views or opinions presented are those of the author 
and do not necessarily represent those of Serck Controls Ltd. 

This message has been scanned for malware by Mailcontrol. www.Mailcontrol.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org