Archived
This forum has been archived. Please start a new discussion on GitHub.
SSL Handshake delay on Windows XP vs CentOS 5
Hi,
I noticed that the SSL handshake between a client and Glacier2 is considerably slower on CentOS 5.
Have anyone noticed this? I used exactly the same config for the client and Glacier2 on both environments. The only difference is in the IP addresses.
Here's a trace output on Windows XP.
Notice that in this case there's only < 300 ms delay between calling the checked cast method to the first SSL security trace.
Here's the same thing on CentOS 5
The delay is more than 5 seconds.
Here's the client side config
And here's the server side config
There must be something wrong in my setup? Although it works ok on Windows XP
Thanks
Budyanto
I noticed that the SSL handshake between a client and Glacier2 is considerably slower on CentOS 5.
Have anyone noticed this? I used exactly the same config for the client and Glacier2 on both environments. The only difference is in the IP addresses.
Here's a trace output on Windows XP.
[ 10/8/09 15:20:24:276 Client: just before Glacier2.RouterPrxHelper.checkedCast ] [ 10/8/09 15:20:24:557 Security: enabling SSL ciphersuites:
Notice that in this case there's only < 300 ms delay between calling the checked cast method to the first SSL security trace.
Here's the same thing on CentOS 5
[ 10/8/09 15:26:06:749 Client: just before Glacier2.RouterPrxHelper.checkedCast ] [ 10/8/09 15:26:11:577 Security: enabling SSL ciphersuites:
The delay is more than 5 seconds.
Here's the client side config
Ice.Default.Router=Glacier2/router:ssl -h 10.11.22.122 -p 4064 Ice.ACM.Client=0 Ice.MonitorConnections=60 Ice.RetryIntervals=-1 Ice.Plugin.IceSSL=IceSSL.PluginFactory IceSSL.DefaultDir=. IceSSL.CertAuthDir=. IceSSL.CertAuthFile=ca.cert IceSSL.TrustOnly=CN="Glacier2Server" IceSSL.CheckCertName=0 IceSSL.Trace.Security=1 Ice.Trace.Network=1 Ice.Trace.Protocol=0
And here's the server side config
Glacier2.CryptPasswords=cryptFile Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.DefaultDir=certs IceSSL.CertFile=server.pem IceSSL.KeyFile=server.key Ice.Trace.Network=2 IceSSL.VerifyPeer=0 IceSSL.Trace.Security=1
There must be something wrong in my setup? Although it works ok on Windows XP
Thanks
Budyanto
0
Comments
-
Hi,
Which Ice version and language mappings do you use?
With Ice for Java, such delays are often caused by an entropy pool being empty, perhaps this is what is happening here? Here are the instructions from the java/README file of the Ice source distribution about this:When using the Ice for Java SSL plug-in (IceSSL), you may experience occasional hangs. The most likely reason is that your system's entropy pool is empty. If you have sufficient system privileges, you can solve this issue by editing the following file <java.home>/jre/lib/security/java.security and changing it to use /dev/urandom instead of /dev/random. If you do not have permission to modify the security file, you can also use the command-line option shown below: java -Djava.security.egd=file:/dev/urandom MyClass ...
Let us know if this isn't the problem.
Cheers,
Benoit.0 -
It's already using /dev/urandom.
I'm using Ice 3.3.1 and Java language mappings.
By the way, the client is on a Windows XP machine.
If the client talks to Glacier2 on Windows XP, I don't see the delay. If the Glacier2 is on CentOS 5, I see the 5 seconds delay.
Thanks
Budyanto0 -
Hi,
Did you try using TCP instead? Could you enable network and protocol tracing on both the client and Glacier2 to see if it helps trying to narrow down where the delay occurs (with Ice.Trace.Network=2 and Ice.Trace.Protocol=1)?
Btw, is this with CentOS 5.1 or 5.2?
Cheers,
Benoit.0 -
Its CentOS 5.3
Here's the output on the client side with those traces turned on[ 10/12/09 12:27:02:888 Client: Glacier2.RouterPrxHelper.checkedCast ] [ 10/12/09 12:27:07:435 Network: trying to establish ssl connection to 10.11.22.122:4064 ] [ 10/12/09 12:27:07:685 Security: enabling SSL ciphersuites: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA
I don't see anything on the server side until 12:27:07. Hmm it's really strange.0 -
Hi,
I tried to reproduce this issue using the Glacier2/callback demo from the Ice distribution. I ran the servers on CentOS 5.3 and tried the Java client on both Windows XP and CentOS 5.3. I did not see any unusual delays during SSL connection establishment. Which JVM are you using?
Please post the trace output when running the client on CentOS with the following properties enabled:
Ice.Trace.Network=3
Ice.Trace.Protocol=1ngambek2003 wrote: »Here's the client side configIce.Plugin.IceSSL=IceSSL.PluginFactory IceSSL.DefaultDir=. IceSSL.CertAuthDir=. IceSSL.CertAuthFile=ca.cert
Regards,
Mark0