11 sec per https:// connection?
|
2015-04-18, 02:55
Post: #1
|
|||
|
|||
11 sec per https:// connection?
I'm missing something, but I can't begin to guess what it is, I need help.
First I set up an insecure http connection between a kvm virtual machine guest with a blank little disk and Seabios garden variety pxe. DHCP served up an iPXE and further http:// requests were sub-second quick to establish. Large files transfer at near link speed. So far, so good. Next I cooked up a 2048 bit RSA ca, nginx server cert, and built a ipxe with a 2048 bit private key. The ipxe has an embedded private key, embedded client cert, and embedded ca. the ca does point to a local http:// server holding a certificate revocation list / crl. I have no idea whether the ipxe client checks the crl for the server's cert, but I know the server checks the ipxe cert against the crl before beginning the secure session. When I issue an ipxe https:// request, the thing sits there for 10.7 seconds, then begins the transfer, which appears to complete quickly. I actually can't be sure it is the setup that takes 10.7 second or whether it does that quickly, loses its place somehow, then recovers and does the transfer. Anyhow: The nginx setup ssl section is: ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256-SHA256:AES256-SHA; ssl_prefer_server_ciphers on; ssl_verify_client on; ssl_session_cache shared:ssl:2m; ssl_verify_depth 1; When I read the docs I was prepared for a 1 second added delay per transaction. 10.7 sec is a project killer delay. Occasionally I'll get a timeout on the ipxe side before the transfer completes. What am I missing? Why does it take so long to set up a https:// session? While we're at it, does iPXE support the idea of reusing the setup of a SSL request completed moments before? Or is there no way to reuse and avoid the setup lag for subsequent quick https requests to the same server? Thanks for any ideas! |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
11 sec per https:// connection? - harryc - 2015-04-18 02:55
RE: 11 sec per https:// connection? - mcb30 - 2015-04-18, 11:38
|
User(s) browsing this thread: 2 Guest(s)