I noticed that the default ssl session cache size is only 128, and the default session timeout is five minutes. If clients are not expiring the session before 5 minutes, and you've got more than 128 clients in 5 minutes, then what should happen?
The openssl documentation is a bit unclear: SSL_CTX_sess_set_cache_size(3): When the maximum number of sessions is reached, no more new sessions are added to the cache. New space may be added by calling SSL_CTX_flush_sessions(3) to remove expired sessions. SSL_CTX_flush_sessions(3): As sessions will not be reused ones they are expired, they should be removed from the cache to save resources. This can either be done automatically whenever 255 new sessions were established or manually by calling SSL_CTX_flush_sessions(). And it doesn't look like nsopenssl ever calls SSL_CTX_flush_sessions() explicitly. So the default cache size is 128, but it only flushed after 255 sessions? That sounds like trouble. Has anyone tried increasing the 'sessioncachesize' parameter? Also, it looks like openssl tracks cache full events on a per-ctx basis, but they aren't exposed in nsopenssl. That might be nice to have in a future rev. -Andrew On 1/29/07, Alex Kroman <[EMAIL PROTECTED]> wrote:
Hi all, I turned off keepalive on our production server but am still receiving the "bad write retry" errors. -Alex -----Original Message----- From: AOLserver Discussion [mailto:[EMAIL PROTECTED] On Behalf Of Dossy Shiobara Sent: Friday, January 26, 2007 10:35 AM To: [email protected] Subject: Re: [AOLSERVER] SSL read error: bad write retry On 2007.01.26, Alex Kroman <[EMAIL PROTECTED]> wrote: > I had Siege connect to my development server 50,000 times and did not > receive the bad write retry once. While clicking around the site with > Siege active I still got the "bad write retry" and a blank page in > about > 75 clicks. This is a similar result to what I would get when my > development server is not under load. I smell SSLv2 at play here. I bet Firefox is using TLS or SSLv3, while IE is still using SSLv2. What do your "protocols" and "ciphersuite" ns_param's look like in your nsopenssl config? -- Dossy -- Dossy Shiobara | [EMAIL PROTECTED] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to < [EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
