Re: Doesn't anyone else use SSL?
From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 09/27/02
- Next message: Thomas Deml [MS]: "Re: Changint Account Password via Web"
- Previous message: Thomas Deml [MS]: "Re: Basic Auth Failing, Not True Auth"
- In reply to: Martin Smith: "Re: Doesn't anyone else use SSL?"
- Next in thread: Todd: "Re: Doesn't anyone else use SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas Deml [MS]" <thomad@online.microsoft.com> Date: Fri, 27 Sep 2002 14:44:28 -0700
SSL perf can be dramatically different depending on the content and the
network connectivity the client has.
SSL is an encrypted tunnel around a TCP/IP connection. A multi-leg handshake
has to establish the tunnel. Once the tunnel is established SSL is
relatively fast.
The problem is that multiple network hops are fine over a fast connection,
but take especially long over low-speed connections.
Another problem then is that proxy servers don't keep the connection alive.
The tunnel has to be reestablished.
Not a lot IIS can do about it. Not even a hardware-based crypto solution
helps. The problem is caused by the network latency and not the processing
power of the IIS box.
Hope this helps.
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.
"Martin Smith" <martinsmonline@microsoft.com> wrote in message
news:zN2nEEQZCHA.364@cpmsftngxa06...
> Hi,
>
> If you pull the web browser on your server and hit the side using SSL is
> this connection slow? Make sure your the browser is not using some type
of
> proxy or going out through your firewall. If it is not then you probably
> have a network issue. How quick is this without SSL? You will take a
perf
> hit with SSL. Encryption is expensive.
>
> Thanks,
> Martin
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> reserved.
>
>
>
>
> --------------------------------------------------------------------------
-- > ---------------------------------------------------------------------- > From: "Todd" <todd@SPAMMMMALIZERipcs.net> > Subject: Doesn't anyone else use SSL? > Date: Wed, 25 Sep 2002 07:31:36 -0500 > Lines: 41 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > Message-ID: <OkDSV6IZCHA.1152@tkmsftngp10> > Newsgroups: microsoft.public.inetserver.iis.security > NNTP-Posting-Host: 216.17.19.8 > Path: cpmsftngxa09!cpmsftngxa06!tkmsftngp01!tkmsftngp10 > Xref: cpmsftngxa09 microsoft.public.inetserver.iis.security:11047 > X-Tomcat-NG: microsoft.public.inetserver.iis.security > > We are experiencing ~100% latency when using SSL. This is much higher than > we expected. What are other people's experience? > > Here is the test that we executed: > * Over a 56K dial up using AOL (to best simulate our target client - an > overseas user). > * Using 10 identical 50K files containing plain text and a <body > onload="JavaScript:alert('Done')"> tag. > * We browse to a default page via HTTPS so that the initial loading of the > certificate does not interfere with the test > * Then we browse to the first five files via HTTP (each take about 4-5 > seconds) > * Then we browse to the second five files via HTTPS (each take about 9-10 > seconds) > > You can see that it takes about twice as long over HTTPS as it does over > HTTP. > > All software is Microsoft (Win2K, IIS, IE6, etc.) > Servers are all Dell PowerEdge 3550s, dual 1 Ghz. CPU, with 1 MB RAM > Nothing else is running on the server during the test. > > We tested it with similar results using three different configurations: > 1) Internet --> Cisco Pix --> WebServer with dummy SSL certificate > (generated by us) > 2) Internet --> Cisco Pix --> SonicWall SSL-R (using their default SSL > certificate) -->WebServer on port 81 with no SSL certificate > 3) Internet --> Cisco Pix --> WebServer with Verisign issued SSL certificate > > All three configurations, same results. In the past we had our Verisign > certificate on the SSL-R applicance but we experienced even greater latency. > > Not sure how to proceed. Any ideas are welcome. > > TIA > > <Todd /> > > > > > > > > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------- > Newsgroups: microsoft.public.inetserver.iis.security > From: alun@texis.com (Alun Jones) > Subject: Re: Doesn't anyone else use SSL? > Organization: Texas Imperial Software > References: <OkDSV6IZCHA.1152@tkmsftngp10> > X-Newsreader: News Xpress 2.01 > Lines: 33 > Message-ID: <_3kk9.37478$kb2.212590657@newssvr30.news.prodigy.com> > NNTP-Posting-Host: 66.141.48.46 > X-Complaints-To: abuse@prodigy.net > X-Trace: newssvr30.news.prodigy.com 1032965498 ST000 66.141.48.46 (Wed, 25 > Sep 2002 10:51:38 EDT) > NNTP-Posting-Date: Wed, 25 Sep 2002 10:51:38 EDT > X-UserInfo1: > Q[R_PJSCTS@QBP\[@BCBNWX@RJ_XPDLMN@GZ_GYO^RR@ETUCCNSKQFCY@TXDX_WHSVB]ZEJLSNY\ > ^J[CUVSA_QLFC^RQHUPH[P[NRWCCMLSNPOD_ESALHUK@TDFUZHBLJ\XGKL^NXA\EVHSP[D_C^B_^ > JCX^W]CHBAX]POG@SSAZQ\LE[DCNMUPG_VSC@VJM > Date: Wed, 25 Sep 2002 14:51:38 GMT > Path: > cpmsftngxa08!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfeed.cwix.com!n > ewsfeed1.cidera.com!Cidera!ngpeer.news.aol.com!news.stealth.net!news.stealth > net!prodigy.com!newsmst01.news.prodigy.com!prodigy.com!postmaster.news.prod > igy.com!newssvr30.news.prodigy.com.POSTED!not-for-mail > Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10770 > X-Tomcat-NG: microsoft.public.inetserver.iis.security > > In article <OkDSV6IZCHA.1152@tkmsftngp10>, "Todd" > <todd@SPAMMMMALIZERipcs.net> > wrote: > >We are experiencing ~100% latency when using SSL. This is much higher than > >we expected. What are other people's experience? > > SSL is slow - remember that instead of the normal sequence: > > 1. Receive request from client > 2. Send file to client > > You've got the following: > > 1. Receive request from client > 1a. Decode request from client > 2a. Encode file > 2. Send encoded file to client > > The parts marked with an 'a' are achieved through relatively complicated > mathematical formulae. Such formulae take time to compute. > > That's one reason why you generally want to keep the SSL parts of your site > to > a minimum - only data that needs authorisation, and/or needs to be > transmitted > secretly. > > Alun. > ~~~~ > > [Please don't email posters, if a Usenet response is appropriate.] > -- > Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at > 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com > Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to > Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT. > > > > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------- > Content-Class: urn:content-classes:message > From: "Randy" <rskopecek@ilmic.com> > Sender: "Randy" <rskopecek@ilmic.com> > References: <OkDSV6IZCHA.1152@tkmsftngp10> > Subject: Doesn't anyone else use SSL? > Date: Wed, 25 Sep 2002 07:41:57 -0700 > Lines: 11 > Message-ID: <79b901c264a1$b3231bd0$37ef2ecf@TKMSFTNGXA13> > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Newsreader: Microsoft CDO for Windows 2000 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 > Thread-Index: AcJkobMjAUlG2DueTQ+kI6K5dr+bCg== > Newsgroups: microsoft.public.inetserver.iis.security > NNTP-Posting-Host: TKMSFTNGXA13 10.201.226.41 > Path: cpmsftngxa08!cpmsftngxa09!cpmsftngxa06 > Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10769 > X-Tomcat-NG: microsoft.public.inetserver.iis.security > > Hello Todd. > I'm running a verisign SSL connection myself on a server > 1/4 yours. I receive basically no latency. I'm guessing > that you are running all the most current service packs. > One question would be, how fast is the client's machine > that you are testing it on. You might try sniffing the > traffic between the webserver, pix, internal servers(that > the webserver touches), and dns server. I have received > latency previously due to the fact that traffic kept > bouncing back and forth between other servers. Hopefully > this helps. > > > > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------- > From: "Consultant®" <consultant_mcngp@yahoo.com> > References: <OkDSV6IZCHA.1152@tkmsftngp10> > Subject: Re: Doesn't anyone else use SSL? > Date: Wed, 25 Sep 2002 08:21:42 -0700 > Lines: 50 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > Message-ID: <u5WwdcKZCHA.2440@tkmsftngp08> > Newsgroups: microsoft.public.inetserver.iis.security > NNTP-Posting-Host: 169.2.118.217 > Path: cpmsftngxa08!tkmsftngp01!tkmsftngp08 > Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10773 > X-Tomcat-NG: microsoft.public.inetserver.iis.security > > have you considered an ssl card to offload the processing? > > > "Todd" <todd@SPAMMMMALIZERipcs.net> wrote in message > news:OkDSV6IZCHA.1152@tkmsftngp10... > > We are experiencing ~100% latency when using SSL. This is much higher than > > we expected. What are other people's experience? > > > > Here is the test that we executed: > > * Over a 56K dial up using AOL (to best simulate our target client - an > > overseas user). > > * Using 10 identical 50K files containing plain text and a <body > > onload="JavaScript:alert('Done')"> tag. > > * We browse to a default page via HTTPS so that the initial loading of the > > certificate does not interfere with the test > > * Then we browse to the first five files via HTTP (each take about 4-5 > > seconds) > > * Then we browse to the second five files via HTTPS (each take about 9-10 > > seconds) > > > > You can see that it takes about twice as long over HTTPS as it does over > > HTTP. > > > > All software is Microsoft (Win2K, IIS, IE6, etc.) > > Servers are all Dell PowerEdge 3550s, dual 1 Ghz. CPU, with 1 MB RAM > > Nothing else is running on the server during the test. > > > > We tested it with similar results using three different configurations: > > 1) Internet --> Cisco Pix --> WebServer with dummy SSL certificate > > (generated by us) > > 2) Internet --> Cisco Pix --> SonicWall SSL-R (using their default SSL > > certificate) -->WebServer on port 81 with no SSL certificate > > 3) Internet --> Cisco Pix --> WebServer with Verisign issued SSL > certificate > > > > All three configurations, same results. In the past we had our Verisign > > certificate on the SSL-R applicance but we experienced even greater > latency. > > > > Not sure how to proceed. Any ideas are welcome. > > > > TIA > > > > <Todd /> > > > > > > > > > > > >
- Next message: Thomas Deml [MS]: "Re: Changint Account Password via Web"
- Previous message: Thomas Deml [MS]: "Re: Basic Auth Failing, Not True Auth"
- In reply to: Martin Smith: "Re: Doesn't anyone else use SSL?"
- Next in thread: Todd: "Re: Doesn't anyone else use SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
