The following warnings occurred:
Warning [2] count(): Parameter must be an array or an object that implements Countable - Line: 807 - File: showthread.php PHP 7.3.15 (Linux)
File Line Function
/showthread.php 807 errorHandler->error





Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
11 sec per https:// connection?
2015-04-18, 02:55
Post: #1
11 sec per https:// connection?
I'm missing something, but I can't begin to guess what it is, I need help.
First I set up an insecure http connection between a kvm virtual machine guest with a blank little disk and Seabios garden variety pxe. DHCP served up an iPXE and further http:// requests were sub-second quick to establish. Large files transfer at near link speed. So far, so good.

Next I cooked up a 2048 bit RSA ca, nginx server cert, and built a ipxe with a 2048 bit private key. The ipxe has an embedded private key, embedded client cert, and embedded ca.
the ca does point to a local http:// server holding a certificate revocation list / crl. I have no idea whether the ipxe client checks the crl for the server's cert, but I know the server checks the ipxe cert against the crl before beginning the secure session.

When I issue an ipxe https:// request, the thing sits there for 10.7 seconds, then begins the transfer, which appears to complete quickly. I actually can't be sure it is the setup that takes 10.7 second or whether it does that quickly, loses its place somehow, then recovers and does the transfer.

Anyhow: The nginx setup ssl section is:

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES256-SHA256:AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_session_cache shared:ssl:2m;
ssl_verify_depth 1;

When I read the docs I was prepared for a 1 second added delay per transaction. 10.7 sec is a project killer delay. Occasionally I'll get a timeout on the ipxe side before the transfer completes. What am I missing? Why does it take so long to set up a https:// session?

While we're at it, does iPXE support the idea of reusing the setup of a SSL request completed moments before? Or is there no way to reuse and avoid the setup lag for subsequent quick https requests to the same server?

Thanks for any ideas!
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
11 sec per https:// connection? - harryc - 2015-04-18 02:55



User(s) browsing this thread: 2 Guest(s)