is at rambler-co.ru
Wed Dec 12 09:59:50 MSK 2007
On Tue, Dec 11, 2007 at 12:16:01PM -0800, Curtis Spencer wrote:
> On Dec 11, 2007 12:00 AM, Igor Sysoev <is at rambler-co.ru> wrote:
> > Could you how you run httperf ? I will try to reproduce it in my
> > environment.
> httperf --server=www.mydomain.com --server-name=www.mydomain.com
> --uri=/public/index --ssl --num-conns=10 --num-calls 10
> I can run this a few times at a decent speed, but the more I do it it
> just degrades until it will take about 10 minutes to finish. Even on
> just an index page. I ran it using httperf-0.8 compiled Sep 8 2006
> without DEBUG without TIME_SYSCALLS.
> Let me know if you need me to try some more examples with it.
OK, I will try.
> > > 2) I still encounter the issue where SSL requests hang indefinitely
> > > for some firefox users in my office. I dug a little deeper and I found
> > > that people around the internet are having issues with Mozilla Firefox
> > > 2.0 and having the Use TLS 1.0 set to checked in the preferences and
> > > negotiating SSL connections with secure servers. Everyone in my
> > > office who was having the problem was using Mozilla Firefox 2.0, so I
> > > had them all disable the TLS 1.0 settings. I am going to watch and
> > > see what happens over the next few days.
> > >
> > > This brings up the issue. Has anyone encountered this TLS issue as
> > > well, and is there a server setting I can set on nginx to prevent
> > > Firefox from even trying to use TLS 1.0 (if this is even the problem)?
> OK, so even after disabling TLS on the firefox that has the issue,
> there is still the slowdown for the people in the office today. I
> will give the server change a try and see what happens. Should I also
> set the ssl_prefer_server_ciphers configuration setting as well? Are
ssl_prefer_server_ciphers was created to force client to use ciphers
that can be accelerated by hardware SSL engine.
If these directives are set:
and Soekris vpn1401 is used, then MSIE and Opera will use DES-CBC3-SHA
and Firefox and Konqueror will use AES128-SHA.
> there any other browser issues that may be causing this?
I do not know.
> > You may only disable TLSv1 at all:
> > ssl_protocols SSLv2 SSLv3;
> > The no way to find out a browser before SSL handshake will be done.
> > This is the same case as it was with name-based virtual hosts.
> What is the downside to this?
TLSv1 is almost the same as SSLv3.
More information about the nginx