Archived

This forum has been archived. Please start a new discussion on GitHub.

SSL Handshake delay on Windows XP vs CentOS 5

Hi,

I noticed that the SSL handshake between a client and Glacier2 is considerably slower on CentOS 5.

Have anyone noticed this? I used exactly the same config for the client and Glacier2 on both environments. The only difference is in the IP addresses.

Here's a trace output on Windows XP.
[ 10/8/09 15:20:24:276 Client: just before Glacier2.RouterPrxHelper.checkedCast ]
[ 10/8/09 15:20:24:557 Security: enabling SSL ciphersuites:


Notice that in this case there's only < 300 ms delay between calling the checked cast method to the first SSL security trace.


Here's the same thing on CentOS 5
[ 10/8/09 15:26:06:749 Client: just before Glacier2.RouterPrxHelper.checkedCast ]
[ 10/8/09 15:26:11:577 Security: enabling SSL ciphersuites:

The delay is more than 5 seconds.

Here's the client side config
Ice.Default.Router=Glacier2/router:ssl -h 10.11.22.122 -p 4064

Ice.ACM.Client=0
Ice.MonitorConnections=60
Ice.RetryIntervals=-1

Ice.Plugin.IceSSL=IceSSL.PluginFactory
IceSSL.DefaultDir=.
IceSSL.CertAuthDir=.
IceSSL.CertAuthFile=ca.cert

IceSSL.TrustOnly=CN="Glacier2Server"
IceSSL.CheckCertName=0

IceSSL.Trace.Security=1
Ice.Trace.Network=1
Ice.Trace.Protocol=0


And here's the server side config
Glacier2.CryptPasswords=cryptFile
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=certs
IceSSL.CertFile=server.pem
IceSSL.KeyFile=server.key
Ice.Trace.Network=2
IceSSL.VerifyPeer=0
IceSSL.Trace.Security=1

There must be something wrong in my setup? Although it works ok on Windows XP

Thanks
Budyanto

Comments

  • benoit
    benoit Rennes, France
    Hi,

    Which Ice version and language mappings do you use?

    With Ice for Java, such delays are often caused by an entropy pool being empty, perhaps this is what is happening here? Here are the instructions from the java/README file of the Ice source distribution about this:
    When using the Ice for Java SSL plug-in (IceSSL), you may experience
    occasional hangs. The most likely reason is that your system's entropy
    pool is empty. If you have sufficient system privileges, you can solve
    this issue by editing the following file
    
      <java.home>/jre/lib/security/java.security
    
    and changing it to use /dev/urandom instead of /dev/random. If you do
    not have permission to modify the security file, you can also use the
    command-line option shown below:
    
      java -Djava.security.egd=file:/dev/urandom MyClass ...
    

    Let us know if this isn't the problem.

    Cheers,
    Benoit.
  • It's already using /dev/urandom.

    I'm using Ice 3.3.1 and Java language mappings.

    By the way, the client is on a Windows XP machine.

    If the client talks to Glacier2 on Windows XP, I don't see the delay. If the Glacier2 is on CentOS 5, I see the 5 seconds delay.

    Thanks
    Budyanto
  • benoit
    benoit Rennes, France
    Hi,

    Did you try using TCP instead? Could you enable network and protocol tracing on both the client and Glacier2 to see if it helps trying to narrow down where the delay occurs (with Ice.Trace.Network=2 and Ice.Trace.Protocol=1)?

    Btw, is this with CentOS 5.1 or 5.2?

    Cheers,
    Benoit.
  • Its CentOS 5.3

    Here's the output on the client side with those traces turned on
    [ 10/12/09 12:27:02:888 Client: Glacier2.RouterPrxHelper.checkedCast ]
    [ 10/12/09 12:27:07:435 Network: trying to establish ssl connection to 10.11.22.122:4064 ]
    [ 10/12/09 12:27:07:685 Security: enabling SSL ciphersuites:
        SSL_RSA_WITH_RC4_128_MD5
        SSL_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
    

    I don't see anything on the server side until 12:27:07. Hmm it's really strange.
  • mes
    mes California
    Hi,

    I tried to reproduce this issue using the Glacier2/callback demo from the Ice distribution. I ran the servers on CentOS 5.3 and tried the Java client on both Windows XP and CentOS 5.3. I did not see any unusual delays during SSL connection establishment. Which JVM are you using?

    Please post the trace output when running the client on CentOS with the following properties enabled:

    Ice.Trace.Network=3
    Ice.Trace.Protocol=1
    Here's the client side config
    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    IceSSL.DefaultDir=.
    IceSSL.CertAuthDir=.
    IceSSL.CertAuthFile=ca.cert
    
    Note that the IceSSL.CertAuthDir and IceSSL.CertAuthFile properties are not used by IceSSL for Java.

    Regards,
    Mark