Archived

This forum has been archived. Please start a new discussion on GitHub.

Python, SSL, performance

Hello,
I find ICE very well thought-out and consider adapting a few OSS with distributed features, though I'm having a few questions, which came up during testing:

* How can I use SSL in Python? In the Programming with ICE book, there's only a short mention about Python "being able to use the C++ features"? Also in the IcePy sources I find no real trace of SSL (except in Glacier2 and some tests for IcePy). Could you expand on that a little?

* Certificate Authority: I'm not very familiar with all those terms, but I guess, a CA just stores your and other party's keys and you can believe that the key you get from it is indeed the public key of the other party - did I interpret the documentation correctly?

So my question here is: Using a private CA on our intranet, am I protected from an SSL man-in-the-middle attack? What I mean is decribed succinctly in this Wikipedia article, where the public key of the other party is replaced.

* TCP/IP and Python performance: I tried out the basic Hello world examples of omniORB & omniORBpy and ICE & IcePy, which just display "Hello world" remotely with no output locally by the client, 5000 times.

See the results...

omniORB from C++
real 0m8.632s
user 0m0.506s
sys 0m0.600s

Not so great...

ICE from C++
real 0m0.993s
user 0m0.080s
sys 0m0.175s

Impressive!

---

omniORBpy from Python
real 0m1.171s
user 0m0.168s
sys 0m0.072s

Not bad!

IcePy from Python
real 0m1.347s
user 0m0.325s
sys 0m0.208s

Hmmm... especially the user & sys numbers make me wonder... maybe omniORBpy is ultra-optimized for Python (though it still depends on omniORB), but it seems to do a few things faster here.

Is there maybe room for optimization of the Python language binding?


Thanks for your time,
Ernstl

Comments

  • With 50K requests, it's more visible:

    omniORBpy:
    real 0m10.862s
    user 0m1.154s
    sys 0m0.628s

    IcePy:
    real 0m11.289s
    user 0m2.130s
    sys 0m2.030s
  • Welcome to our forums!

    Please see this link regarding our support policy.
  • marc wrote:
    Welcome to our forums!

    Please see this link regarding our support policy.

    Thanks! :)

    And signature should be done.
  • matthew
    matthew NL, Canada
    Its always possible to optimize just a little more :) However, at some point you have to ask how important it is. In particular, these hello world tests generally have little importance in real applications. For most applications with a well defined interface either the network latency or the the processing time on the server side for the data will dominate.
  • Note that I'm not convinced that your performance tests are accurate. We measured omniORB some time ago, and it is a very fast CORBA ORB. I do not see how there could be such a huge difference between Ice for C++ and omniORB. Perhaps they were not compiled with the same optimization settings, or you didn't use similar threading models?
  • mes
    mes California
    Hi,
    Ernstl wrote:
    How can I use SSL in Python?
    You configure it just like you do in C++. The only limitation is that you can't access the plug-in programmatically, so you are restricted to the capabilities provided by the plug-in's configuration properties.
    Certificate Authority: I'm not very familiar with all those terms, but I guess, a CA just stores your and other party's keys and you can believe that the key you get from it is indeed the public key of the other party - did I interpret the documentation correctly?
    Briefly, a certificate authority is responsible for signing a certificate to indicate that the subject of the certificate is who he says he is. If both parties trust the CA, then they generally trust the certificates that the CA has signed.
    So my question here is: Using a private CA on our intranet, am I protected from an SSL man-in-the-middle attack?
    Assuming that you have sufficiently protected the CA's private key (so that an attacker could not generate a bogus certificate that is signed by the CA), you can avoid MITM attacks by requiring all parties to supply certificates that are signed by the CA. There are additional steps you can take for even more security, as described in the manual (see the discussions of certificate depths and the TrustOnly properties).

    Hope that helps,
    - Mark