Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: SSL / long connection times |
|
Author |
|
zook
Joined: 23 Feb 2006 Posts: 2
|
Posted: Thu 23 Feb '06 0:28 Post subject: SSL / long connection times |
|
|
Hi,
I have the following configuration:
Win2003 Server
Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
Self-signed certificate (that does NOT currently match the server name - big whoops here? It generates warnings but otherwise shouldn't create problems, right?)
I'm using this setup to serve PHP pages and enable secure downloads of files, some of which are up to 150 MB in size.
The problem is that some clients (using Internet Explorer) complain about very long connection times (30 secs to a minute, perhaps), especially when two clients are simultaneously downloading large files. After the connection has finally been established, the download itself works fine and with the expected speed. But I've noticed long connection times even while serving normal pages. Even loading small images over a Gigabit-LAN can take seconds. Using other browsers seems to result in the same problems.
Whatever, I haven't been able to pin it down yet.
The "unclean shutdown" messages I get are probably due to the
"SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0" directive.
The are also seemingly random "SSL input filter read failed" errors.
My ssl.conf:
------------------------------------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#<IfDefine SSL>
Listen *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex Default
<VirtualHost (x.x.x.x):443>
DocumentRoot "h:/apachedata"
ServerName x.x.x.x
ServerAdmin x@x.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/xxx.crt
SSLCertificateKeyFile conf/ssl/xxx.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/apache/cgi">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
#</IfDefine>
------------------------------------------------------------------------
From the logs:
------------------------------------------------------------------------
[Mon Feb 20 17:43:30 2006] [info] Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:31 2006] [info] Init: Initializing OpenSSL library
[Mon Feb 20 17:43:31 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Feb 20 17:43:31 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Feb 20 17:43:32 2006] [info] Init: Initializing (virtual) servers for SSL
[Mon Feb 20 17:43:32 2006] [info] Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.8a
[Mon Feb 20 17:43:32 2006] [notice] Child 5200: Child process is running
[Mon Feb 20 17:43:32 2006] [info] Parent: Duplicating socket 208 and sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [info] Parent: Duplicating socket 204 and sending it to child process 5200
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Acquired the start mutex.
[Mon Feb 20 17:43:33 2006] [notice] Child 5200: Starting 250 worker threads.
[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 established (server xxxx:443, client xxxx)
[Tue Feb 21 18:18:28 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:18:28 2006] [info] Initial (No.1) HTTPS request received for child 249 (server xxxx:443)
[Tue Feb 21 18:18:28 2006] [info] Connection to child 249 closed with unclean shutdown(server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Connection to child 249 established (server xxxx:443, client xxxx)
[Tue Feb 21 18:19:16 2006] [info] Seeding PRNG with 136 bytes of entropy
[Tue Feb 21 18:19:16 2006] [info] Initial (No.1) HTTPS request received for child 249 (server xxxx:443)
[Tue Feb 21 18:19:17 2006] [info] Connection to child 249 closed with unclean shutdown(server xxxx:443, client xxxx)
------------------------------------------------------------------------
Does anyone have an idea what's wrong here?
Thanks, Jörg |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Thu 23 Feb '06 13:36 Post subject: |
|
|
Hi,
Your configuration looks ok.
Without SSL still the same issue ?
You can try setting one of the directives:
Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off
Also you can try 2.2.0, there are some changes in the SSL area.
Steffen |
|
Back to top |
|
zook
Joined: 23 Feb 2006 Posts: 2
|
Posted: Mon 27 Feb '06 0:35 Post subject: |
|
|
Thanks for the tip. Alas, it didn't work. Whenever I try to download a huge file, the apache process grows to >150 MB, meaning it tries to read the file into memory before serving it.
Adding
Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off
to the config (main server or virtual host context) didn't change that. |
|
Back to top |
|
|
|
|
|
|