logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL / long connection times
Author
zook



Joined: 23 Feb 2006
Posts: 2

PostPosted: Thu 23 Feb '06 0:28    Post subject: SSL / long connection times Reply with quote

Hi,

I have the following configuration:

Win2003 Server
Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a

Self-signed certificate (that does NOT currently match the server name - big whoops here? It generates warnings but otherwise shouldn't create problems, right?)

I'm using this setup to serve PHP pages and enable secure downloads of files, some of which are up to 150 MB in size.

The problem is that some clients (using Internet Explorer) complain about very long connection times (30 secs to a minute, perhaps), especially when two clients are simultaneously downloading large files. After the connection has finally been established, the download itself works fine and with the expected speed. But I've noticed long connection times even while serving normal pages. Even loading small images over a Gigabit-LAN can take seconds. Using other browsers seems to result in the same problems.
Whatever, I haven't been able to pin it down yet.

The "unclean shutdown" messages I get are probably due to the
"SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0" directive.

The are also seemingly random "SSL input filter read failed" errors.

My ssl.conf:
------------------------------------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#<IfDefine SSL>
Listen *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex Default

<VirtualHost (x.x.x.x):443>
DocumentRoot "h:/apachedata"
ServerName x.x.x.x
ServerAdmin x@x.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/xxx.crt
SSLCertificateKeyFile conf/ssl/xxx.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/apache/cgi">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
#</IfDefine>
------------------------------------------------------------------------

From the logs:

------------------------------------------------------------------------
[Mon Feb 20 17:43:30 2006] [info] Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:31 2006] [info] Init: Initializing OpenSSL library
[Mon Feb 20 17:43:31 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Feb 20 17:43:32 2006] [info] Init: Initializing (virtual) servers for SSL
[Mon Feb 20 17:43:32 2006] [info] Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:32 2006] [notice] Child 5200: Child process is running
[Mon Feb 20 17:43:32 2006] [info] Parent: Duplicating socket 208 and sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [info] Parent: Duplicating socket 204 and sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Acquired the start mutex.
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Starting 250 worker threads.


[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 established (server xxxx:443, client xxxx)
[Tue Feb 21 18:18:28 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:18:28 2006] [info] Initial (No.1) HTTPS request received for child 249 (server xxxx:443)
[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 closed with unclean shutdown(server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Connection to child 249 established (server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:19:16 2006] [info] Initial (No.1) HTTPS request received for child 249 (server xxxx:443)
[Tue Feb 21 18:19:17 2006] [info] Connection to child 249 closed with unclean shutdown(server xxxx:443, client xxxx)
------------------------------------------------------------------------

Does anyone have an idea what's wrong here?

Thanks, Jörg
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3094
Location: Hilversum, NL, EU

PostPosted: Thu 23 Feb '06 13:36    Post subject: Reply with quote

Hi,

Your configuration looks ok.
Without SSL still the same issue ?

You can try setting one of the directives:

Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off

Also you can try 2.2.0, there are some changes in the SSL area.


Steffen
Back to top
zook



Joined: 23 Feb 2006
Posts: 2

PostPosted: Mon 27 Feb '06 0:35    Post subject: Reply with quote

Thanks for the tip. Alas, it didn't work. Whenever I try to download a huge file, the apache process grows to >150 MB, meaning it tries to read the file into memory before serving it.

Adding

Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off

to the config (main server or virtual host context) didn't change that.
Back to top


Reply to topic   Topic: SSL / long connection times View previous topic :: View next topic
Post new topic   Forum Index -> Apache