SSL Strangeness

Igor Sysoev is at rambler-co.ru
Wed Dec 12 09:59:50 MSK 2007 

On Tue, Dec 11, 2007 at 12:16:01PM -0800, Curtis Spencer wrote:

> Hi,
> 
> On Dec 11, 2007 12:00 AM, Igor Sysoev <is at rambler-co.ru> wrote:
> >
> > Could you how you run httperf ? I will try to reproduce it in my
> > environment.
> 
> httperf --server=www.mydomain.com --server-name=www.mydomain.com
> --uri=/public/index --ssl --num-conns=10 --num-calls 10
> 
> I can run this a few times at a decent speed, but the more I do it it
> just degrades until it will take about 10 minutes to finish.  Even on
> just an index page.  I ran it using httperf-0.8 compiled Sep 8 2006
> without DEBUG without TIME_SYSCALLS.
> 
> Let me know if you need me to try some more examples with it.

OK, I will try.

> > > 2)  I still encounter the issue where SSL requests hang indefinitely
> > > for some firefox users in my office. I dug a little deeper and I found
> > > that people around the internet are having issues with Mozilla Firefox
> > > 2.0 and having the Use TLS 1.0 set to checked in the preferences and
> > > negotiating SSL connections with secure servers.  Everyone in my
> > > office who was having the problem was using Mozilla Firefox 2.0, so I
> > > had them all disable the TLS 1.0 settings.  I am going to watch and
> > > see what happens over the next few days.
> > >
> > > This brings up the issue.  Has anyone encountered this TLS issue as
> > > well, and is there a server setting I can set on nginx to prevent
> > > Firefox from even trying to use TLS 1.0 (if this is even the problem)?
> 
> OK, so even after disabling TLS on the firefox that has the issue,
> there is still the slowdown for the people in the office today.  I
> will give the server change a try and see what happens.  Should I also
> set the ssl_prefer_server_ciphers configuration setting as well?  Are

ssl_prefer_server_ciphers was created to force client to use ciphers
that can be accelerated by hardware SSL engine.

If these directives are set:

ssl_prefer_server_ciphers  on;
ssl_ciphers  AES128-SHA:DES-CBC3-SHA:!EXPORT56:RC4+RSA:+SSLv2:+EXP;

and Soekris vpn1401 is used, then MSIE and Opera will use DES-CBC3-SHA
and Firefox and Konqueror will use AES128-SHA.

> there any other browser issues that may be causing this?

I do not know.

> > You may only disable TLSv1 at all:
> >
> > ssl_protocols SSLv2 SSLv3;
> >
> > The no way to find out a browser before SSL handshake will be done.
> > This is the same case as it was with name-based virtual hosts.
> 
> What is the downside to this?

TLSv1 is almost the same as SSLv3.


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list