Re: Doesn't anyone else use SSL?

From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 09/27/02


From: "Thomas Deml [MS]" <thomad@online.microsoft.com>
Date: Fri, 27 Sep 2002 14:44:28 -0700


SSL perf can be dramatically different depending on the content and the
network connectivity the client has.

SSL is an encrypted tunnel around a TCP/IP connection. A multi-leg handshake
has to establish the tunnel. Once the tunnel is established SSL is
relatively fast.

The problem is that multiple network hops are fine over a fast connection,
but take especially long over low-speed connections.
Another problem then is that proxy servers don't keep the connection alive.
The tunnel has to be reestablished.

Not a lot IIS can do about it. Not even a hardware-based crypto solution
helps. The problem is caused by the network latency and not the processing
power of the IIS box.

Hope this helps.

Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.

"Martin Smith" <martinsmonline@microsoft.com> wrote in message
news:zN2nEEQZCHA.364@cpmsftngxa06...
> Hi,
>
> If you pull the web browser on your server and hit the side using SSL is
> this connection slow? Make sure your the browser is not using some type
of
> proxy or going out through your firewall. If it is not then you probably
> have a network issue. How quick is this without SSL? You will take a
perf
> hit with SSL. Encryption is expensive.
>
> Thanks,
> Martin
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> reserved.
>
>
>
>
> --------------------------------------------------------------------------

--
> ----------------------------------------------------------------------
> From: "Todd" <todd@SPAMMMMALIZERipcs.net>
> Subject: Doesn't anyone else use SSL?
> Date: Wed, 25 Sep 2002 07:31:36 -0500
> Lines: 41
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Message-ID: <OkDSV6IZCHA.1152@tkmsftngp10>
> Newsgroups: microsoft.public.inetserver.iis.security
> NNTP-Posting-Host: 216.17.19.8
> Path: cpmsftngxa09!cpmsftngxa06!tkmsftngp01!tkmsftngp10
> Xref: cpmsftngxa09 microsoft.public.inetserver.iis.security:11047
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> We are experiencing ~100% latency when using SSL. This is much higher than
> we expected. What are other people's experience?
>
> Here is the test that we executed:
> * Over a 56K dial up using AOL (to best simulate our target client - an
> overseas user).
> * Using 10 identical 50K files containing plain text and a <body
> onload="JavaScript:alert('Done')"> tag.
> * We browse to a default page via HTTPS so that the initial loading of the
> certificate does not interfere with the test
> * Then we browse to the first five files via HTTP (each take about 4-5
> seconds)
> * Then we browse to the second five files via HTTPS (each take about 9-10
> seconds)
>
> You can see that it takes about twice as long over HTTPS as it does over
> HTTP.
>
> All software is Microsoft (Win2K, IIS, IE6, etc.)
> Servers are all Dell PowerEdge 3550s, dual 1 Ghz. CPU, with 1 MB RAM
> Nothing else is running on the server during the test.
>
> We tested it with similar results using three different configurations:
> 1) Internet --> Cisco Pix --> WebServer with dummy SSL certificate
> (generated by us)
> 2) Internet --> Cisco Pix --> SonicWall SSL-R (using their default SSL
> certificate) -->WebServer on port 81 with no SSL certificate
> 3) Internet --> Cisco Pix --> WebServer with Verisign issued SSL
certificate
>
> All three configurations, same results. In the past we had our Verisign
> certificate on the SSL-R applicance but we experienced even greater
latency.
>
> Not sure how to proceed. Any ideas are welcome.
>
> TIA
>
> <Todd />
>
>
>
>
>
>
>
> --------------------------------------------------------------------------
--
> ----------------------------------------------------------------------
> Newsgroups: microsoft.public.inetserver.iis.security
> From: alun@texis.com (Alun Jones)
> Subject: Re: Doesn't anyone else use SSL?
> Organization: Texas Imperial Software
> References: <OkDSV6IZCHA.1152@tkmsftngp10>
> X-Newsreader: News Xpress 2.01
> Lines: 33
> Message-ID: <_3kk9.37478$kb2.212590657@newssvr30.news.prodigy.com>
> NNTP-Posting-Host: 66.141.48.46
> X-Complaints-To: abuse@prodigy.net
> X-Trace: newssvr30.news.prodigy.com 1032965498 ST000 66.141.48.46 (Wed, 25
> Sep 2002 10:51:38 EDT)
> NNTP-Posting-Date: Wed, 25 Sep 2002 10:51:38 EDT
> X-UserInfo1:
>
Q[R_PJSCTS@QBP\[@BCBNWX@RJ_XPDLMN@GZ_GYO^RR@ETUCCNSKQFCY@TXDX_WHSVB]ZEJLSNY\
>
^J[CUVSA_QLFC^RQHUPH[P[NRWCCMLSNPOD_ESALHUK@TDFUZHBLJ\XGKL^NXA\EVHSP[D_C^B_^
> JCX^W]CHBAX]POG@SSAZQ\LE[DCNMUPG_VSC@VJM
> Date: Wed, 25 Sep 2002 14:51:38 GMT
> Path:
>
cpmsftngxa08!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfeed.cwix.com!n
>
ewsfeed1.cidera.com!Cidera!ngpeer.news.aol.com!news.stealth.net!news.stealth
>
net!prodigy.com!newsmst01.news.prodigy.com!prodigy.com!postmaster.news.prod
> igy.com!newssvr30.news.prodigy.com.POSTED!not-for-mail
> Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10770
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> In article <OkDSV6IZCHA.1152@tkmsftngp10>, "Todd"
> <todd@SPAMMMMALIZERipcs.net>
> wrote:
> >We are experiencing ~100% latency when using SSL. This is much higher
than
> >we expected. What are other people's experience?
>
> SSL is slow - remember that instead of the normal sequence:
>
> 1. Receive request from client
> 2. Send file to client
>
> You've got the following:
>
> 1. Receive request from client
> 1a. Decode request from client
> 2a. Encode file
> 2. Send encoded file to client
>
> The parts marked with an 'a' are achieved through relatively complicated
> mathematical formulae.  Such formulae take time to compute.
>
> That's one reason why you generally want to keep the SSL parts of your
site
> to
> a minimum - only data that needs authorisation, and/or needs to be
> transmitted
> secretly.
>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]
> --
> Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
> 1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
> Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
> Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.
>
>
>
> --------------------------------------------------------------------------
--
> ----------------------------------------------------------------------
> Content-Class: urn:content-classes:message
> From: "Randy" <rskopecek@ilmic.com>
> Sender: "Randy" <rskopecek@ilmic.com>
> References:  <OkDSV6IZCHA.1152@tkmsftngp10>
> Subject: Doesn't anyone else use SSL?
> Date: Wed, 25 Sep 2002 07:41:57 -0700
> Lines: 11
> Message-ID: <79b901c264a1$b3231bd0$37ef2ecf@TKMSFTNGXA13>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcJkobMjAUlG2DueTQ+kI6K5dr+bCg==
> Newsgroups: microsoft.public.inetserver.iis.security
> NNTP-Posting-Host: TKMSFTNGXA13 10.201.226.41
> Path: cpmsftngxa08!cpmsftngxa09!cpmsftngxa06
> Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10769
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> Hello Todd.
> I'm running a verisign SSL connection myself on a server
> 1/4 yours.  I receive basically no latency.  I'm guessing
> that you are running all the most current service packs.
> One question would be, how fast is the client's machine
> that you are testing it on.  You might try sniffing the
> traffic between the webserver, pix, internal servers(that
> the webserver touches), and dns server.  I have received
> latency previously due to the fact that traffic kept
> bouncing back and forth between other servers.  Hopefully
> this helps.
>
>
>
> --------------------------------------------------------------------------
--
> ----------------------------------------------------------------------
> From: "Consultant®" <consultant_mcngp@yahoo.com>
> References: <OkDSV6IZCHA.1152@tkmsftngp10>
> Subject: Re: Doesn't anyone else use SSL?
> Date: Wed, 25 Sep 2002 08:21:42 -0700
> Lines: 50
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Message-ID: <u5WwdcKZCHA.2440@tkmsftngp08>
> Newsgroups: microsoft.public.inetserver.iis.security
> NNTP-Posting-Host: 169.2.118.217
> Path: cpmsftngxa08!tkmsftngp01!tkmsftngp08
> Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:10773
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> have you considered an ssl card to offload the processing?
>
>
> "Todd" <todd@SPAMMMMALIZERipcs.net> wrote in message
> news:OkDSV6IZCHA.1152@tkmsftngp10...
> > We are experiencing ~100% latency when using SSL. This is much higher
than
> > we expected. What are other people's experience?
> >
> > Here is the test that we executed:
> > * Over a 56K dial up using AOL (to best simulate our target client - an
> > overseas user).
> > * Using 10 identical 50K files containing plain text and a <body
> > onload="JavaScript:alert('Done')"> tag.
> > * We browse to a default page via HTTPS so that the initial loading of
the
> > certificate does not interfere with the test
> > * Then we browse to the first five files via HTTP (each take about 4-5
> > seconds)
> > * Then we browse to the second five files via HTTPS (each take about
9-10
> > seconds)
> >
> > You can see that it takes about twice as long over HTTPS as it does over
> > HTTP.
> >
> > All software is Microsoft (Win2K, IIS, IE6, etc.)
> > Servers are all Dell PowerEdge 3550s, dual 1 Ghz. CPU, with 1 MB RAM
> > Nothing else is running on the server during the test.
> >
> > We tested it with similar results using three different configurations:
> > 1) Internet --> Cisco Pix --> WebServer with dummy SSL certificate
> > (generated by us)
> > 2) Internet --> Cisco Pix --> SonicWall SSL-R (using their default SSL
> > certificate) -->WebServer on port 81 with no SSL certificate
> > 3) Internet --> Cisco Pix --> WebServer with Verisign issued SSL
> certificate
> >
> > All three configurations, same results. In the past we had our Verisign
> > certificate on the SSL-R applicance but we experienced even greater
> latency.
> >
> > Not sure how to proceed. Any ideas are welcome.
> >
> > TIA
> >
> > <Todd />
> >
> >
> >
> >
>
>
>
>


Relevant Pages

  • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
    ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
    (SuSE)
  • Re: MOD_SSL and MOD_AUTH_OPENVMS
    ... ## for proper server startup. ... ## SSL Support ... # List the ciphers that the client is permitted to negotiate. ... # Point SSLCertificateFile at a PEM encoded certificate. ...
    (comp.os.vms)
  • Re: Using SSL with IIS 5.0 - how does it work.
    ... Description of the Secure Sockets Layer (SSL) Handshake ... username and password when users authenticates to server (e.g. to check ... his/her e-mail) (client sends this data to the server) ... If you want your users to trust your SSL certificate ...
    (microsoft.public.inetserver.iis.security)
  • Re: OpenSSL read/write timeouts
    ... This is an example of a SSL client with minimum functionality. ... This SSL client verifies the server's certificate against the ... the SSL server does not request & verify the client ...
    (comp.os.vms)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)