[BugDB] Performance issue (PR#723)

am 22.06.2002 01:49:12 von modssl-bugdb

Full_Name: Denis Almeida Vieira Junior
Version: 2.8.9
OS: Solaris 2.7
Submission from: (NULL) (200.221.27.122)

Hey there.

I've been detecting some performance problems, since the version 2.8.6.
Today, I'm testing with Apache 1.3.26 + mod_ssl 2.8.9 and openssl 0.9.6d.

The configuration "Apache 1.3.22 + mod_ssl 2.8.5 + openssl 0.9.6b" and lower,
works fine.

So, here is the problem:

Case 1) - "Apache 1.3.22 + mod_ssl 2.8.5 + openssl 0.9.6b".
"Working fine, but apache vulnerable (chunk vuln) and (zlib problems).

configuration: export CFLAGS='-DHARD_SERVER_LIMIT=8192'; ./configure
--with-apache=../apache_1.3.22
--with-ssl=../../openssl-0.9.6b --disable-rule=DEV_RANDOM --disable-rule=EXPAT
--disable-rule=IRIXN32 --disable-rule=IRIXNIS --disable-rule=WANTHSREGEX
--enable-module=most --enable-module=mmap_static --enable-shared=ssl
--enable-shared=max
--prefix=/opt/apache1322

This case works fine. I stressed the server, with 150 threads, and the loadav
was considerably
(~4).

Case 2) - "Apache 1.3.26 + mod_ssl 2.8.9 + openssl 0.9.6d".
The perfect situation. No chunk exploit or zlib problems.

configuration: export CFLAGS='-DHARD_SERVER_LIMIT=8192'; ./configure
--with-apache=../apache_1.3.26
--with-ssl=../../openssl-0.9.6d --disable-rule=DEV_RANDOM --disable-rule=EXPAT
--disable-rule=IRIXN32 --disable-rule=IRIXNIS --disable-rule=WANTHSREGEX
--enable-module=most --enable-module=mmap_static --enable-shared=ssl
--enable-shared=max
--prefix=/opt/apache1326

This case unveils the performance issue. And the same happens with any version
newer than the
case 1. The same stress situation, under this condition, same config httpd.conf
file, the server
works on a ~40 loadav.

In this case 2, I opened a new test, under the same conditions, but the
compilation of the
OpenSSL. I tried the "./config no-threads no-idea -fPIC" configuration and
compilation options.
This caused a different behavior. I mean, it took a little while (~3 minutes),
to the loadav get
high, and after a few minutes, it got worse... the loadav reached ~60...
Without the "no-threads no-idea -fPIC" options at the openSSL compilation, the
high loadav is
instantaneous.

I can bring any information you need to debug this problem. Just let me know
what do you need.
I really need a help here. I have problems upgrading my servers because the
performance issue,
and I need to, to fix the chunk and zlib problems.

Any help would be gladly appreciated.

B. Regards.

Denis.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [BugDB] Performance issue (PR#723)

am 24.06.2002 10:52:29 von Thomas Binder

Hi!

On Sat, Jun 22, 2002 at 01:49:12AM +0200, modssl-bugdb@modssl.org wrote:
> This caused a different behavior. I mean, it took a little while
> (~3 minutes), to the loadav get high, and after a few minutes,
> it got worse... the loadav reached ~60... Without the
> "no-threads no-idea -fPIC" options at the openSSL compilation,
> the high loadav is instantaneous.
>
> I can bring any information you need to debug this problem. Just
> let me know what do you need.

What kind of random seed do you use? As far as I know, IRIX has no
/dev/random (nor /dev/urandom), so I might be a good idea to
install prngd and let SSLRandomSeed point to its socket (using
egd:/path/to/socket)

This might already solve your problem.

Ciao

Thomas
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [BugDB] Performance issue (PR#723)

am 26.06.2002 01:08:20 von denao

Hi Thomas,

I'll try that and send the results to the list.

thank you

On Mon, 2002-06-24 at 05:52, Thomas Binder wrote:
> Hi!
>
> On Sat, Jun 22, 2002 at 01:49:12AM +0200, modssl-bugdb@modssl.org wrote:
> > This caused a different behavior. I mean, it took a little while
> > (~3 minutes), to the loadav get high, and after a few minutes,
> > it got worse... the loadav reached ~60... Without the
> > "no-threads no-idea -fPIC" options at the openSSL compilation,
> > the high loadav is instantaneous.
> >
> > I can bring any information you need to debug this problem. Just
> > let me know what do you need.
>
> What kind of random seed do you use? As far as I know, IRIX has no
> /dev/random (nor /dev/urandom), so I might be a good idea to
> install prngd and let SSLRandomSeed point to its socket (using
> egd:/path/to/socket)
>
> This might already solve your problem.
>
>
> Ciao
>
> Thomas
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
--
Denis A.V.Jr. - denao@uol.com.br
Systems Engineer - ICQ 2524962
Universo Online

perl -e 'print "computers are like air-conditioners: they stop working
when you open windows ", pack("c*",hex
"3A",sqrt(2025),(unpack(c,"=")-20),10);'

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [BugDB] Performance issue (PR#723)

am 26.06.2002 01:12:09 von modssl-bugdb

Re: [BugDB] Performance issue (PR#723)

am 28.06.2002 23:21:11 von denao

Hi,

I tried with the prngd and exactly the same problem appeared.
=(

Regards

On Mon, 2002-06-24 at 05:52, Thomas Binder wrote:
> Hi!
>
> On Sat, Jun 22, 2002 at 01:49:12AM +0200, modssl-bugdb@modssl.org wrote:
> > This caused a different behavior. I mean, it took a little while
> > (~3 minutes), to the loadav get high, and after a few minutes,
> > it got worse... the loadav reached ~60... Without the
> > "no-threads no-idea -fPIC" options at the openSSL compilation,
> > the high loadav is instantaneous.
> >
> > I can bring any information you need to debug this problem. Just
> > let me know what do you need.
>
> What kind of random seed do you use? As far as I know, IRIX has no
> /dev/random (nor /dev/urandom), so I might be a good idea to
> install prngd and let SSLRandomSeed point to its socket (using
> egd:/path/to/socket)
>
> This might already solve your problem.
>
>
> Ciao
>
> Thomas
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
--
Denis A.V.Jr. - denao@uol.com.br
Systems Engineer - ICQ 2524962
Universo Online

perl -e 'print "computers are like air-conditioners: they stop working
when you open windows ", pack("c*",hex
"3A",sqrt(2025),(unpack(c,"=")-20),10);'

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [BugDB] Performance issue (PR#723)

am 28.06.2002 23:25:09 von modssl-bugdb

Re: [BugDB] Performance issue (PR#723)

am 29.06.2002 11:51:37 von Lutz Jaenicke

On Fri, Jun 28, 2002 at 11:25:09PM +0200, modssl-bugdb@modssl.org wrote:
> I tried with the prngd and exactly the same problem appeared.

I don't think, that your problem has to do with random seeding.
Even the built-in seeding should not cause significant load increases.

What other modules or add-ons do you use? I know that there is at least
one interaction between php4 and mod_ssl: child processes do not correctly
shut down, when both modules are used.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [BugDB] Performance issue (PR#723)

am 01.07.2002 18:38:52 von denao

Hi Lutz...

I compile apache using...: (from mod_ssl dir)

export CFLAGS='-DHARD_SERVER_LIMIT=8192'; ./configure
--disable-rule=DEV_RANDOM --disable-rule=EXPAT --disable-rule=IRIXN32
--disable-rule=IRIXNIS --disable-rule=SHARED_CHAIN
--disable-rule=WANTHSREGEX --enable-module=most
--enable-module=mmap_static --enable-shared=max
--with-apache=../apache_1.3.26 --with-ssl=../openssl-0.9.6d
--prefix=/opt/apache-1.3.26

cd ../apache_1.3.26
make

and I have...:

denao@isherwood /opt/apache-1.3.26# bin/httpd -l
Compiled-in modules:
http_core.c
mod_so.c
suexec: disabled; invalid wrapper /opt/apache-1.3.26/bin/suexec

and at the conf, I call...:

LoadModule mmap_static_module libexec/mod_mmap_static.so

LoadModule config_log_module libexec/mod_log_config.so

#LoadModule mime_magic_module libexec/mod_mime_magic.so
LoadModule mime_module libexec/mod_mime.so

LoadModule status_module libexec/mod_status.so
LoadModule info_module libexec/mod_info.so

LoadModule imap_module libexec/mod_imap.so
LoadModule access_module libexec/mod_access.so
LoadModule expires_module libexec/mod_expires.so
LoadModule setenvif_module libexec/mod_setenvif.so
LoadModule negotiation_module libexec/mod_negotiation.so
#LoadModule vhost_alias_module libexec/mod_vhost_alias.so
LoadModule ssl_module libexec/libssl.so

The real strange thing here, is that those high loads never happens
using apache1.3.22 and mod_ssl 2.8.5... but any combination newer than
this, brings me a high load.

Best regards, and thank you so much for helping me out on this.

Denis.

On Sat, 2002-06-29 at 06:51, Lutz Jaenicke wrote:
> On Fri, Jun 28, 2002 at 11:25:09PM +0200, modssl-bugdb@modssl.org wrote:
> > I tried with the prngd and exactly the same problem appeared.
>
> I don't think, that your problem has to do with random seeding.
> Even the built-in seeding should not cause significant load increases.
>
> What other modules or add-ons do you use? I know that there is at least
> one interaction between php4 and mod_ssl: child processes do not correctly
> shut down, when both modules are used.
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
> http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> BTU Cottbus, Allgemeine Elektrotechnik
> Universitaetsplatz 3-4, D-03044 Cottbus
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
--
Denis A.V.Jr. - denao@uol.com.br
Systems Engineer - ICQ 2524962
Universo Online

perl -e 'print "computers are like air-conditioners: they stop working
when you open windows ", pack("c*",hex
"3A",sqrt(2025),(unpack(c,"=")-20),10);'

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Static Page after SSL Handshake Failure ??

am 02.07.2002 09:31:28 von Marc Buetikofer

Hi,

Is it possible for to return a static page to a browser if an SSL
handshake failed? I have in mind the situation, when e.g. a 56-bit Browser
tries to hanshake with an Apache that requires 128 bits.
I could not find any directive in the documentation.

Thanks for help!!

Marc

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Static Page after SSL Handshake Failure ??

am 02.07.2002 11:14:35 von John.Airey

I don't think you can. The handshake has to complete before any other data
can be transferred. An incomplete handshake means no connection and hence no
data.

However, I think you might be able to connect users with a lower cipher to a
different document root and from there direct them elsewhere. I recall this
being raised before, so look in the archive of this list.

Users of IIS will notice that the errors returned from server are becoming
more and more meaningless. "The page cannot be displayed" covers up whatever
the real error is.

I recommend using curl for testing anyway: http://curl.haxx.se

-
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Is the statement 'There is no such thing as truth' true?

> -----Original Message-----
> From: Marc Buetikofer [mailto:mbutikof@ergon.ch]
> Sent: 02 July 2002 08:31
> To: modssl-users@modssl.org
> Subject: Static Page after SSL Handshake Failure ??
>
>
>
>
>
> Hi,
>
> Is it possible for to return a static page to a browser if an SSL
> handshake failed? I have in mind the situation, when e.g. a
> 56-bit Browser
> tries to hanshake with an Apache that requires 128 bits.
> I could not find any directive in the documentation.
>
> Thanks for help!!
>
> Marc
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Static Page after SSL Handshake Failure ??

am 02.07.2002 12:35:46 von Thomas Binder

Hi!

On Tue, Jul 02, 2002 at 10:14:35AM +0100, John.Airey@rnib.org.uk wrote:
> However, I think you might be able to connect users with a lower
> cipher to a different document root and from there direct them
> elsewhere. I recall this being raised before, so look in the
> archive of this list.

I've done this using mod_rewrite. For example, to redirect
browsers connecting with only export cipher strengths:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{ENV:SSL_CIPHER_EXPORT} "^true$"
RewriteRule ".*" /noexport.html [L]

Or to redirect browsers not connecting with at least 100 bit
effective key size:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{ENV:SSL_CIPHER_USEKEYSIZE} "!^[0-9]{3}"
RewriteRule ".*" /keytoosmall.html [L]

Note that the URIs you redirect to (here: /noexport.html and
/keytoosmall.html) have to live outside /path/to/special/directory
(or inside a subdirectory which has RewriteEngine off).

Of course, having StdEnvVars set for certain directories lowers
the performance, but I see no other way to check for cipher
parameters without letting the handshake fail.

Ciao

Thomas
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org