SSL Strangeness

Curtis Spencer thorin at
Tue Dec 11 23:16:01 MSK 2007


On Dec 11, 2007 12:00 AM, Igor Sysoev <is at> wrote:
> Could you how you run httperf ? I will try to reproduce it in my
> environment.

--uri=/public/index --ssl --num-conns=10 --num-calls 10

I can run this a few times at a decent speed, but the more I do it it
just degrades until it will take about 10 minutes to finish.  Even on
just an index page.  I ran it using httperf-0.8 compiled Sep 8 2006
without DEBUG without TIME_SYSCALLS.

Let me know if you need me to try some more examples with it.

> > 2)  I still encounter the issue where SSL requests hang indefinitely
> > for some firefox users in my office. I dug a little deeper and I found
> > that people around the internet are having issues with Mozilla Firefox
> > 2.0 and having the Use TLS 1.0 set to checked in the preferences and
> > negotiating SSL connections with secure servers.  Everyone in my
> > office who was having the problem was using Mozilla Firefox 2.0, so I
> > had them all disable the TLS 1.0 settings.  I am going to watch and
> > see what happens over the next few days.
> >
> > This brings up the issue.  Has anyone encountered this TLS issue as
> > well, and is there a server setting I can set on nginx to prevent
> > Firefox from even trying to use TLS 1.0 (if this is even the problem)?

OK, so even after disabling TLS on the firefox that has the issue,
there is still the slowdown for the people in the office today.  I
will give the server change a try and see what happens.  Should I also
set the ssl_prefer_server_ciphers configuration setting as well?  Are
there any other browser issues that may be causing this?

> You may only disable TLSv1 at all:
> ssl_protocols SSLv2 SSLv3;
> The no way to find out a browser before SSL handshake will be done.
> This is the same case as it was with name-based virtual hosts.

What is the downside to this?

> --
> Igor Sysoev

More information about the nginx mailing list