Hi all, I've posted about this before on the mod-ssl list but was redirected here. I'm seeing strange behaviour using SSL, it's been difficult to try and dig out any useful information, but I didn't see a problem with firefox 1.5, only 2.0 (and with MSIE). However since we can't force users to upgrade (shame!), I need to fix this at the server end in any case. What I see is that the client sends SYN, gets SYN/ACK, sends ACK, then does nothign for several seconds (upto 15seconds) and then sends the TLS Hello. Another behaviour I've see is: 0.0s > SYN 0.0s < SYN/ACK (1) 0.0s > ACK (2) 3.7s < SYN/ACK - dup of 1 3.7s > ACK - dup of 2 10.0s < SYN/ACK - dup of 1 10.0s > ACK - dup of 2 14.9s > TLS Client Hello This is a local network and there are no lost packets - I've traced both ends and they both log this behaviour. I'm suprised that Apache is sending the dup SYN/ACK - it knows the client received it last time since it has the ACK. OTOH the really puzzling thing to me is why the client doesn't send the TLS Client Hello in the first place. I suspect that it's going horribly wrong _earlier_ and these delays are just a symptom. This is using sifr (which does some replacement of text with Flash script using javascript). If I create a page with say 30 embedded flash objects (uniquely named varients of the flash file in question) then it loads just fine. In the normal case, using sifr, the client fetches the page, css, js, maybe a couple of copies of the flash file (yes, it refetches the same file - doh!), then it start to exhibit this strange pausing behaviour. My latest experiments involve running 2.2.3 (debian unstable) on my laptop. This works fine (I'm editing /etc/hosts so that the certificate etc match). However if I point to a debian stable Xen host I get hangs. I've set the MTU on lo to 1500 but localhost still works. I've tried tweaking nigh on every SSL setting (mutex, sessioncache, random source, ssl-unclean-shutdown, keepalive, ssh-accurate-shutdown), looked at the debug (can't see any errors, but there is a lot there). I've also tried symlinking /dev/random to /dev/urandom on my client in case it was a lack of entrophy issue on the client. I've also tweaked keepalive, pipelining, max_requests etc in the browser (and KA on the server) to no avail. Needless to say, this all works fine using http. We aren't sending any of the headers mentioned here and I've used mod-headers to remove the range headers in case they were causing confusion: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fdc7b5c&pss=rss_flashplayer_fdc7b5c However the slowdown also affects the browser even if flash isn't installed. I've been banging my head against the wall for a few days on this, shortly I'll be putting spikes in the wall to end my misery :-) Too much debug info to append here, but if there are specific bits then I'll post them. I'll be suggesting that we move to sifr v3 which does some preloading hacks to avoid the multiple requests, but I'm a bit concerned that there is an underlying problem here somewhere that will come back to bite us. Thanks in advance, Adrian -- Adrian Bridgett - adrian@xxxxxxxxxx GPG key available on public key servers --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|