Webpage over SSL timing out?

I appologize if this posting appears twice. :)

Hi,

We have a webserver that is serving image (gif/jpg) file over SSL. I am
using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not
include any other module.

The webserver seems to work fine. However if a webpage has mutiple image
files, not all the image files load, and "broken image icons" are shown
instead. Seems like the SSL/HTTP connection is timing out. Is there a way to
increase this timeout period. I don't mind if take a little longer to load
the page, but the user should see all the image file.

Another alternative is to use a HW based SSL solution like nCipher's CHIL.
But I want to make that the last option, since I dont want to re-configure
the HW/application on the server.

Any ideas on how other sites handle image files over SSL. I need the image
file over SSL, because they are scanned images of confidential information.

Thanks.
Sarah.

____________________________________________________________ _____
Frustrated with dial-up? Get high-speed for as low as $29.95/month
(depending on the local service providers in your area).
https://broadband.msn.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

On Tue, 7 Oct 2003, Sarah Haff wrote:

> We have a webserver that is serving image (gif/jpg) file over SSL. I am
> using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not
> include any other module.
>
> The webserver seems to work fine. However if a webpage has mutiple image
> files, not all the image files load, and "broken image icons" are shown
> instead. Seems like the SSL/HTTP connection is timing out. Is there a way to
> increase this timeout period. I don't mind if take a little longer to load
> the page, but the user should see all the image file.

This is actually most likely a problem with either SSL session caching or
with "keepalive" HTTP requests. What settings are you using for the
SSLSessionCache directive? Does this only happen with Internet Explorer?
If so, are you using the SetEnvIf directive suggested at
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#msie ?

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

>This is actually most likely a problem with either SSL session caching or
>with "keepalive" HTTP requests. What settings are you using for the
>SSLSessionCache directive? Does this only happen with Internet Explorer?
>If so, are you using the SetEnvIf directive suggested at
>http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#msie ?

Cliff,

Thanks for the response. The problems happens with Mozilla and IE.

Here is my SSLCache setting in ssl.conf
SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 1300

and httpd.conf
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On


Thanks.
Sarah.

____________________________________________________________ _____
Instant message in style with MSN Messenger 6.0. Download it now FREE!
http://msnmessenger-download.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

On Tue, Oct 07, 2003 at 03:17:49PM -0700, Sarah Haff wrote:
> We have a webserver that is serving image (gif/jpg) file over SSL. I am
> using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not
> include any other module.
>
> The webserver seems to work fine. However if a webpage has mutiple image
> files, not all the image files load, and "broken image icons" are shown
> instead. Seems like the SSL/HTTP connection is timing out. Is there a way
> to increase this timeout period. I don't mind if take a little longer to
> load the page, but the user should see all the image file.

Check Cliffs suggestions about SSLSessionCache (the shm type is preferable
for performance reasons).
Other suggestions could be turning on keepalives and possibly to remove
some of the weaker cipher options from SSLCipherSuite.
>
> Another alternative is to use a HW based SSL solution like nCipher's CHIL.
> But I want to make that the last option, since I dont want to re-configure
> the HW/application on the server.
>
How does the cpu usage look on the server? If the load isn't high, then
you probably won't win much with an ssl accelerator.

> Any ideas on how other sites handle image files over SSL. I need the image
> file over SSL, because they are scanned images of confidential information.
>
Just like any other file type - apache doesn't really care what it is.

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

On Tue, Oct 07, 2003 at 04:00:11PM -0700, Sarah Haff wrote:
> Here is my SSLCache setting in ssl.conf
> SSLSessionCache shmcb:logs/ssl_scache(512000)
> #SSLSessionCache dbm:logs/ssl_scache
> SSLSessionCacheTimeout 1300
>
Looks ok - you could try confirming that session caching works by
using the command:

openssl s_client -connect HOST:PORT -reconnect

> and httpd.conf
> #
> # Timeout: The number of seconds before receives and sends time out.
> #
> Timeout 300
>
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> #
> KeepAlive On
>
This might be diabled elsewhere by something like (from the std config):

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

You could try without it and see if it helps.

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

Thanks for the reply Tuftom,

What is the difference between "shmht" and "shmcb" ?
#SSLSessionCache shmht:logs/ssl_scache(512000)
SSLSessionCache shmcb:logs/ssl_scache(512000)

i ran the openssl s_client -connect HOST:PORT -reconnect command

The difference between the cache and non-cached connection was:

multiple lines of
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA (with caching disabled)
vs
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA (with caching enabled)

So i guess "Reused" says the caching is working. Am I right?

Thanks
Sarah.

____________________________________________________________ _____
Instant message in style with MSN Messenger 6.0. Download it now FREE!
http://msnmessenger-download.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

>Other suggestions could be turning on keepalives and possibly to remove
>some of the weaker cipher options from SSLCipherSuite.
How does removing weaker cipher improve the performance.

>How does the cpu usage look on the server? If the load isn't high, then
>you probably won't win much with an ssl accelerator.
It is a quad CPU server 2.8 Ghz, so the max CPU usage goes to 10% per CPU.

Thanks for all the help.
Sarah

____________________________________________________________ _____
Help protect your PC. Get a FREE computer virus scan online from McAfee.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

Bit of a "me too" here. Just today I noticed an issue whereby running a PHP
web page that does LDAP queries across our WAN was hanging forever (not an
SSL issue BTW - bad LDAP server). I hit the "Stop" button and tried
reloading to have another go - and the browser's "swirly thing" swirled away
forever - after ten minutes it was still going. A sniffer shows HTTPS
traffic between my workstation and the server - but the server never
attempted the second LDAP call - which makes me think the request never
happened (i.e. something got stuck in SSL land)

In the end the only fix was to either kill the browser, or restart the httpd
server.

That was Mozilla 1.5 under Redhat 8 talking to Apache 1.3.27/mod_ssl-2.8.12-2

Timeout 300
KeepAliveTimeout 15
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

> openssl s_client -connect HOST:PORT -reconnect

That appears to work fine here too - I get the "reused" line...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

On Tue, Oct 07, 2003 at 07:17:06PM -0700, Sarah Haff wrote:
> >Other suggestions could be turning on keepalives and possibly to remove
> >some of the weaker cipher options from SSLCipherSuite.
> How does removing weaker cipher improve the performance.

It doesn't improve performance - but I've seen cases where Internet Explorer
would allow a session to live longer if it was negotiated to a newer cipher
like TLS instead of SSLv2.
>
> >How does the cpu usage look on the server? If the load isn't high, then
> >you probably won't win much with an ssl accelerator.
> It is a quad CPU server 2.8 Ghz, so the max CPU usage goes to 10% per CPU.
>
If that is the case, then it doesn't seem likely to me that a hardware
accelerator will improve things much. With that much cpu power to spare,
there shouldn't be any significant slowdown in the connect. If you have an
SSL enabled benchmark tool (could be a recent ab from apache), then try
seeing what happens when you run a number of concurrent requests - do they
start to fail?

I'm inclined to think that the problem could be related to keepalives, where
Internet Explorer tries to open more connections than it can handle at once
because keepalives are turned off (the SetEnvIf I mentioned). It should be
possible to determine with netstat or LogLevel debug.
If that isn't the case, then I can only think of things like a blocking
random device, or some other resource being exhausted.

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Webpage over SSL timing out?

Hello Mads,

What are the content of the log/ssl_scache file???
SSLSessionCache shmcb:logs/ssl_scache(512000)

Is it just a pointer to the hash-table in the memory?

Thanks
Sarah

____________________________________________________________ _____
Help protect your PC. Get a FREE computer virus scan online from McAfee.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org