Re: [openssl-users] TLS Heartbeat

2016-12-12 Thread Salz, Rich 

> Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in
> idle connections.

Use TCP keepalive if really needed.  That keeps your application level free to 
reap truly idle connections if/when it wants to.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-11 Thread Rasool, Kaja Mohideen (Nokia - IN) 
Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in idle 
connections.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Michael Wojcik
Sent: Monday, December 12, 2016 12:19 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] TLS Heartbeat

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that 
disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who 
couldn't take the time to learn how TCP works. But then given the OP's 
description of the original problem, disabling the Nagle algorithm is likely 
not the most egregious design decision here. I'll echo Rich's sentiment: If 
you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission 
for up to 200ms. The OP didn't provide any actual useful information about what 
the "problem" is, so we don't know whether the heartbeats would have been 
transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window 
advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-11 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that 
disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who 
couldn't take the time to learn how TCP works. But then given the OP's 
description of the original problem, disabling the Nagle algorithm is likely 
not the most egregious design decision here. I'll echo Rich's sentiment: If 
you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission 
for up to 200ms. The OP didn't provide any actual useful information about what 
the "problem" is, so we don't know whether the heartbeats would have been 
transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window 
advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Jeffrey Walton 
On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN)
 wrote:
> Ok, maybe, TCP is doing it. Is there any other API using which I can specify
> the payload length & number of bytes for padding to send a TLS Heartbeat
> request? Then, I can use that API to send out a big enough heartbeat request
> so my server recognize & responds to it.

Maybe related, see
https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/.
It shows how to measure and adjust for some throughput improvements.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Kyle Hamilton 
disable O_NAGLE on the socket?

-Kyle H

On Sat, Dec 10, 2016 at 8:04 AM, Salz, Rich  wrote:

> Heartbeats?  Yuk, why.
>
>
>
> Most likely, TCP is buffering things until you get a big enough data
> packet.   I don’t know how to address that.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Rasool, Kaja Mohideen (Nokia - IN) 
Ok, maybe, TCP is doing it. Is there any other API using which I can specify 
the payload length & number of bytes for padding to send a TLS Heartbeat 
request? Then, I can use that API to send out a big enough heartbeat request so 
my server recognize & responds to it.

// Kaja

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich
Sent: Saturday, December 10, 2016 9:35 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] TLS Heartbeat

Heartbeats?  Yuk, why.

Most likely, TCP is buffering things until you get a big enough data packet.   
I don't know how to address that.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Salz, Rich 
Heartbeats?  Yuk, why.

Most likely, TCP is buffering things until you get a big enough data packet.   
I don’t know how to address that.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users