Improving ssl conection time

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Improving ssl conection time

Marco Rossi-2
Dear all,

I'm working with an xml messaging protocol where
messages are exchaged by means of ssl connections.

The client needs to open/close a new connection for
every message to sent (the server adopts this policy
and it is not possible to change it), so I was trying
to understand a little more on BIO_do_connect.

In the past, I used to "sleep(2)" on BIO_do_connect to
  to waif for ssl handshake to be performed, here a
snip of code

// CTX settngs (keys, cert,...)
BIO_get_ssl(out, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_nbio(out,1);

if (BIO_do_connect(out) <= 0){
     sleep(2);
}

However I noticed "sleep(2)" slows down my client
application, I got better times if I don't use sleep
and I go directly to use BIO_read and BIO_write, and
wait for the BIO to be ready using int values returned
by these functions and related macro BIO_should_read

...
bytesRead = BIO_read(out, buf, sizeof(buf));
   
while ( (!(bytesRead == 0)) && (count <NTRIES)){
      if (bytesRead <0) {

if(BIO_should_read(out) || BIO_should_retry(out))

This works almost fine with SSLv3 but if I try to use
TLS 1 (server supports both) I receive too much
connection error.

Checking what is happening with ssldump I see the
handshake hangs up on ClientKeyExchange when the
master key should be already be aggred

ssldump -q

6 1  0.1293 (0.1293)  C>S SSLv2 compatible client
hello
6 2  0.2623 (0.1329)  S>C  Handshake      ServerHello
6 3  0.6656 (0.4032)  S>C  Handshake      Certificate
      ServerKeyExchange
      CertificateRequest
        certificate_authority
        certificate_authority
      ServerHelloDone
6 4  0.6945 (0.0289)  C>S  Handshake      Certificate
6 5  0.8243 (0.1298)  C>S  Handshake  
ClientKeyExchange

How could I improve and possibly speed up ssl
connetion time in a correct manner ?

Thanks,
Marco Rossi


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Improving ssl conection time

Joseph Oreste Bruni
You might want to check out SSL_set_session() and friends. This will  
allow your programs to reuse a session and avoid the negotiation.



On May 7, 2006, at 8:03 AM, Marco Rossi wrote:

> Dear all,
>
> I'm working with an xml messaging protocol where
> messages are exchaged by means of ssl connections.
>
> The client needs to open/close a new connection for
> every message to sent (the server adopts this policy
> and it is not possible to change it), so I was trying
> to understand a little more on BIO_do_connect.
>
> In the past, I used to "sleep(2)" on BIO_do_connect to
>   to waif for ssl handshake to be performed, here a
> snip of code
>
> // CTX settngs (keys, cert,...)
> BIO_get_ssl(out, &ssl);
> SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
> BIO_set_nbio(out,1);
>
> if (BIO_do_connect(out) <= 0){
>      sleep(2);
> }
>
> However I noticed "sleep(2)" slows down my client
> application, I got better times if I don't use sleep
> and I go directly to use BIO_read and BIO_write, and
> wait for the BIO to be ready using int values returned
> by these functions and related macro BIO_should_read
>
> ...
> bytesRead = BIO_read(out, buf, sizeof(buf));
>
> while ( (!(bytesRead == 0)) && (count <NTRIES)){
>       if (bytesRead <0) {
>
> if(BIO_should_read(out) || BIO_should_retry(out))
>
> This works almost fine with SSLv3 but if I try to use
> TLS 1 (server supports both) I receive too much
> connection error.
>
> Checking what is happening with ssldump I see the
> handshake hangs up on ClientKeyExchange when the
> master key should be already be aggred
>
> ssldump -q
>
> 6 1  0.1293 (0.1293)  C>S SSLv2 compatible client
> hello
> 6 2  0.2623 (0.1329)  S>C  Handshake      ServerHello
> 6 3  0.6656 (0.4032)  S>C  Handshake      Certificate
>       ServerKeyExchange
>       CertificateRequest
>         certificate_authority
>         certificate_authority
>       ServerHelloDone
> 6 4  0.6945 (0.0289)  C>S  Handshake      Certificate
> 6 5  0.8243 (0.1298)  C>S  Handshake
> ClientKeyExchange
>
> How could I improve and possibly speed up ssl
> connetion time in a correct manner ?
>
> Thanks,
> Marco Rossi
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


smime.p7s (3K) Download Attachment