Server Load problems under heavy SSL traffic

We are experiencing problems under heavy traffic to our SSL site.
I have read the FAQ on performance and have decided to switch to
shmcb caching, but I don't know if that will help the problem.

With about 300 concurrent users the server loads skyrocket and the
server no longer spawns child processes for CGI scripts. I have the
Apache 1.3.27 server set up for 4096 concurrent connections and have
made all the suggested performance tuning measures suggested on the
Apache site. This problem does not occur on the non-ssl site which
has significantly more traffic.

Can anyone offer any insight into this problem? Here are my specs:

AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP
Apache with mod_ssl (compiled in) 1.3.27-2.8.11
Openssl 0.9.6g

from http.conf:


DocumentRoot "/usr/local/apache/ssldocs"
ServerName hostname
ServerAdmin me
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
ScriptAlias /cgi-bin/ "/usr/local/apache/sslcgi/"

SSLEngine on

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt
SSLVerifyClient none
SSLVerifyDepth 10


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



Any help is appreciated.

------------------------------------------------------------ ---------
Dale Weaver deweaver@waketech.edu



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Server Load problems under heavy SSL traffic

On Thu, Dec 12, 2002 at 11:35:07AM -0500, Dale Weaver wrote:
> We are experiencing problems under heavy traffic to our SSL site.
> I have read the FAQ on performance and have decided to switch to
> shmcb caching, but I don't know if that will help the problem.
>
Switching from what?
You might be able to speed it up a bit tweaking different things like
the cache size, timeouts and compiling openssl with no-threads
But this is still quite a few connections, and you may not be able
to squeeze too much more out of it without adding an ssl accelerator
card.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Server Load problems under heavy SSL traffic

Cool, another NC person on this list, howdy from Chapel Hill, we remain
powerless, day 9 and counting, and hope to have it restored today or
tomorrow since Duke finally made it to our little nook out here in the
boonies. A backup generator has allowed this server to remain active.

If server laod with encryption is getting to be a mess, and I'm not sure
what cards AIX might support, you might wish to look into off-loading the
SSL stuff to a dedicated encryption card and move to the open-ssl-engine
code to facillitate that. Others on the list might be able to better
direct you to hardware that will function on an AIX system.

Thanks,

Ron DuFresne

On Thu, 12 Dec 2002, Dale Weaver wrote:

> We are experiencing problems under heavy traffic to our SSL site.
> I have read the FAQ on performance and have decided to switch to
> shmcb caching, but I don't know if that will help the problem.
>
> With about 300 concurrent users the server loads skyrocket and the
> server no longer spawns child processes for CGI scripts. I have the
> Apache 1.3.27 server set up for 4096 concurrent connections and have
> made all the suggested performance tuning measures suggested on the
> Apache site. This problem does not occur on the non-ssl site which
> has significantly more traffic.
>
> Can anyone offer any insight into this problem? Here are my specs:
>
> AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP
> Apache with mod_ssl (compiled in) 1.3.27-2.8.11
> Openssl 0.9.6g
>
> from http.conf:
>
>
> DocumentRoot "/usr/local/apache/ssldocs"
> ServerName hostname
> ServerAdmin me
> ErrorLog /usr/local/apache/logs/error_log
> TransferLog /usr/local/apache/logs/access_log
> ScriptAlias /cgi-bin/ "/usr/local/apache/sslcgi/"
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
>
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key
> SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt
> SSLVerifyClient none
> SSLVerifyDepth 10
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /usr/local/apache/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help is appreciated.
>
> ------------------------------------------------------------ ---------
> Dale Weaver deweaver@waketech.edu
>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org