Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Hello, The registry thing is for Winsock of course for some timeout... Ok, could you please also comment on my C++ code posted? Could there be an AV somewhere that I didn't see?? Regards, SZ On Fri, Mar 13, 2009 at 8:50 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: I am still curious whtehr there is a way to increase the timeout for the connection handshake--possibly in registry. OpenSSL and the registry makes no sense to me? I won't implement session caching because it is not realistic to assume same clients accessing the server--you wrote that client and server both must support for session caching. That's correct and most browsers in use today support it. SSL session caching indeed may only speed up negotiation of the SSL connection. For example, very useful in FTP when a secure data connection is established or in HTTP with non persistent connections. I want the worst case scenario. Let's think botnet of 1000 zombie IE activeX's attacking our SSL proxy! I guess that those kind of DOS clients will never use SSL session caching. May be some kind of shorttime blacklisting is more helpful in those cases? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Fastream Technologies wrote: Ok, could you please also comment on my C++ code posted? Could there be an AV somewhere that I didn't see?? Concerning your design one cache instance per thread I'm a bit confused. Do you also use one instance of SslContext per thread? One context = one cache, both ought to be tread-safe, so one instance of each is IMO enough. The event handler code looks OK. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Yes. there is one listener thread, one listener socket and one ssl context per thread = 1. If the user decides to listen on multiple threads, then these are all multiplied of course. On Sat, Mar 14, 2009 at 8:01 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Ok, could you please also comment on my C++ code posted? Could there be an AV somewhere that I didn't see?? Concerning your design one cache instance per thread I'm a bit confused. Do you also use one instance of SslContext per thread? One context = one cache, both ought to be tread-safe, so one instance of each is IMO enough. The event handler code looks OK. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Hello Arno, The customer still complains with 0.9.8i! Due to PCI-compliance, they must disable SSLv2 and that part works. The strange things are, - only https port stalls - no fatal issue--service could shut down gracefully - 3 drops in 24 hours HTH, SZ On Thu, Mar 12, 2009 at 7:56 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Hello, Seems that the connections are rejected. I am using TSslContext options to set ssl version and the customer disabled SSLv2. He says IE and FF on Win. gave general SSL errors yet Opera on Blackberry complained about TLSv1 but unfortunately he could not recall the exact message. Provided SSLv2 is correctly disabled in your code (we discussed this topic multiple times in the ICS-SSL list, AFAIR), I would search the newer OpenSSL change logs first since this _might be a known or fixed SSL handshake issue in OpenSSL (rather unlikely, though). The worst case with session caching _should be no successful hits on lookups, which indeed was slower than no session caching. -- Arno Garrels Regards, Gorkem Ates On Thu, Mar 12, 2009 at 6:25 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Does that mean established connections are dropped? Or are connection attempts rejected? Arno, could there be a problem with the avl tree caching class you provided Nothing is impossible ;-) Years ago I tested this class successfully in a MT server, however that does of course not guarantee it's bug-free. If you think it is making the trouble you could switch to OpenSSL's own session caching. However, if I were you I would try to reproduce the issue in order to find out what actually goes wrong. --have you recently fixed any issues? No, just one or two minor Unicode changes last year. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Hello, I can see on my Vista x64 the reverse proxy drops SSL connections with our web stress tester: http://www.fastream.com/WebStressTester.zip but not sure why. With plain HTTP, it works with no dropping. Could you guys repeat the same tests there against your ICS SSL servers? For some reason, with my BCB2007 and ICSv6, I am unable to compile the ICS HTTPS Web Server pas. Complains about session cache base class... Regards, SZ On Fri, Mar 13, 2009 at 9:16 AM, Fastream Technologies ga...@fastream.comwrote: Hello Arno, The customer still complains with 0.9.8i! Due to PCI-compliance, they must disable SSLv2 and that part works. The strange things are, - only https port stalls - no fatal issue--service could shut down gracefully - 3 drops in 24 hours HTH, SZ On Thu, Mar 12, 2009 at 7:56 PM, Arno Garrels arno.garr...@gmx.dewrote: Fastream Technologies wrote: Hello, Seems that the connections are rejected. I am using TSslContext options to set ssl version and the customer disabled SSLv2. He says IE and FF on Win. gave general SSL errors yet Opera on Blackberry complained about TLSv1 but unfortunately he could not recall the exact message. Provided SSLv2 is correctly disabled in your code (we discussed this topic multiple times in the ICS-SSL list, AFAIR), I would search the newer OpenSSL change logs first since this _might be a known or fixed SSL handshake issue in OpenSSL (rather unlikely, though). The worst case with session caching _should be no successful hits on lookups, which indeed was slower than no session caching. -- Arno Garrels Regards, Gorkem Ates On Thu, Mar 12, 2009 at 6:25 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Does that mean established connections are dropped? Or are connection attempts rejected? Arno, could there be a problem with the avl tree caching class you provided Nothing is impossible ;-) Years ago I tested this class successfully in a MT server, however that does of course not guarantee it's bug-free. If you think it is making the trouble you could switch to OpenSSL's own session caching. However, if I were you I would try to reproduce the issue in order to find out what actually goes wrong. --have you recently fixed any issues? No, just one or two minor Unicode changes last year. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Fastream Technologies wrote: I can see on my Vista x64 the reverse proxy drops SSL connections with our web stress tester: I can produce plenty of dropped entries against the SslWebserver demo as well on both ports. The more clients and threads are setup in the testapp the more refused connections. That's the expected behaviour. Since SSL handshakes are rather expensive there is less load required until the first SSL connection is refused. And the testapp obviously does not support session caching. An option for session caching would be helpful in order to be able to compare. -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
I am still curious whtehr there is a way to increase the timeout for the connection handshake--possibly in registry. I won't implement session caching because it is not realistic to assume same clients accessing the server--you wrote that client and server both must support for session caching. I want the worst case scenario. Let's think botnet of 1000 zombie IE activeX's attacking our SSL proxy! (BTW, I have seen such attack with HTTP on one of my servers. I know it was a botnet because 99% of the traffic was from Turkey and Germany where Turkish population concentration is high and the logs showed 99.99% GET / 's. Normally the domain was getting 20-30 hits per hour yet during the attack, it rose to 1200 connections/sec. I knew who was behind it but had no proof. Had to pay for an attorney and suddenly the attack was over in 6 days! He must have rented the botnet from a malicious hacker team.) Regards, SZ On Fri, Mar 13, 2009 at 6:20 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: I can see on my Vista x64 the reverse proxy drops SSL connections with our web stress tester: I can produce plenty of dropped entries against the SslWebserver demo as well on both ports. The more clients and threads are setup in the testapp the more refused connections. That's the expected behaviour. Since SSL handshakes are rather expensive there is less load required until the first SSL connection is refused. And the testapp obviously does not support session caching. An option for session caching would be helpful in order to be able to compare. -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Take a look at this url: http://lbwiki.com/index.php/What_do_I_need_in_SSL_TPS_Performance%3F I believe we need to satisfy 100Mbps with hardware accelerator hardware support for OpenSSL utilized. Only THEN, we would be a real world-class solution. Currently, local-to-local, öur reverse proxy does 20 TPS with the stress tester. Regards, SZ On Fri, Mar 13, 2009 at 8:02 PM, Fastream Technologies ga...@fastream.comwrote: I am still curious whtehr there is a way to increase the timeout for the connection handshake--possibly in registry. I won't implement session caching because it is not realistic to assume same clients accessing the server--you wrote that client and server both must support for session caching. I want the worst case scenario. Let's think botnet of 1000 zombie IE activeX's attacking our SSL proxy! (BTW, I have seen such attack with HTTP on one of my servers. I know it was a botnet because 99% of the traffic was from Turkey and Germany where Turkish population concentration is high and the logs showed 99.99% GET / 's. Normally the domain was getting 20-30 hits per hour yet during the attack, it rose to 1200 connections/sec. I knew who was behind it but had no proof. Had to pay for an attorney and suddenly the attack was over in 6 days! He must have rented the botnet from a malicious hacker team.) Regards, SZ On Fri, Mar 13, 2009 at 6:20 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: I can see on my Vista x64 the reverse proxy drops SSL connections with our web stress tester: I can produce plenty of dropped entries against the SslWebserver demo as well on both ports. The more clients and threads are setup in the testapp the more refused connections. That's the expected behaviour. Since SSL handshakes are rather expensive there is less load required until the first SSL connection is refused. And the testapp obviously does not support session caching. An option for session caching would be helpful in order to be able to compare. -- -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Fastream Technologies wrote: I am still curious whtehr there is a way to increase the timeout for the connection handshake--possibly in registry. OpenSSL and the registry makes no sense to me? I won't implement session caching because it is not realistic to assume same clients accessing the server--you wrote that client and server both must support for session caching. That's correct and most browsers in use today support it. SSL session caching indeed may only speed up negotiation of the SSL connection. For example, very useful in FTP when a secure data connection is established or in HTTP with non persistent connections. I want the worst case scenario. Let's think botnet of 1000 zombie IE activeX's attacking our SSL proxy! I guess that those kind of DOS clients will never use SSL session caching. May be some kind of shorttime blacklisting is more helpful in those cases? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Never had problems with it. We have several https servers running 24/7 without problems. They are using ICS V5. The new beta version (D2009-ICS V7) runs fine too, but it's currently http with hardware ssl-decoder Paul - Original Message - From: Fastream Technologies ga...@fastream.com To: ICS support mailing twsocket@elists.org Sent: Thursday, March 12, 2009 3:44 PM Subject: [twsocket] Is there anybody facing problems with HTTPS server,on SSL port? Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Arno, could there be a problem with the avl tree caching class you provided--have you recently fixed any issues? IQRP is using OpenSSL 0.9.8e. Regards, SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
So here is my new problem causing code for avl tree cache: // In the first part of tthread.execute: sslAvlSessionCache = new TSslAvlSessionCache(NULL); sslAvlSessionCache-FlushInterval = 3000; HTTPSSLContext-SslSessionCacheModes = TSslSessCacheModes() sslSESS_CACHE_SERVER sslSESS_CACHE_NO_INTERNAL_LOOKUP sslSESS_CACHE_NO_INTERNAL_STORE; ... // In the first last of tthread.execute: delete sslAvlSessionCache; void __fastcall ReverseProxyThread::ReverseProxyNewSSLSession(TObject *Sender, Pointer SslSession, Pointer SessId, int Idlen, bool AddToInternalCache) { String LookupKey; LookupKey.SetLength(Idlen); Move(SessId, LookupKey.c_str(), Idlen); sslAvlSessionCache-CacheSvrSession(SslSession, LookupKey + IQRP, AddToInternalCache); } //--- void __fastcall ReverseProxyThread::ReverseProxyGetSSLSession(TObject *Sender, Pointer SslSession, Pointer SessId, int Idlen, bool IncRefCount) { String LookupKey; LookupKey.SetLength(Idlen); Move(SessId, LookupKey.c_str(), Idlen); SslSession = sslAvlSessionCache-GetSvrSession(LookupKey + IQRP, IncRefCount); } //--- Do you guys see any problems with the code above? It ought to be simple yet there is still complaints which I have to handle... BTW, I think -after fixing- the above code would be a good C++ example code... Regards, SZ On Thu, Mar 12, 2009 at 4:55 PM, Paul paul.blommae...@telenet.be wrote: Never had problems with it. We have several https servers running 24/7 without problems. They are using ICS V5. The new beta version (D2009-ICS V7) runs fine too, but it's currently http with hardware ssl-decoder Paul - Original Message - From: Fastream Technologies ga...@fastream.com To: ICS support mailing twsocket@elists.org Sent: Thursday, March 12, 2009 3:44 PM Subject: [twsocket] Is there anybody facing problems with HTTPS server,on SSL port? Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Arno, could there be a problem with the avl tree caching class you provided--have you recently fixed any issues? IQRP is using OpenSSL 0.9.8e. Regards, SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Fastream Technologies wrote: Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Does that mean established connections are dropped? Or are connection attempts rejected? Arno, could there be a problem with the avl tree caching class you provided Nothing is impossible ;-) Years ago I tested this class successfully in a MT server, however that does of course not guarantee it's bug-free. If you think it is making the trouble you could switch to OpenSSL's own session caching. However, if I were you I would try to reproduce the issue in order to find out what actually goes wrong. --have you recently fixed any issues? No, just one or two minor Unicode changes last year. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Hello, Seems that the connections are rejected. I am using TSslContext options to set ssl version and the customer disabled SSLv2. He says IE and FF on Win. gave general SSL errors yet Opera on Blackberry complained about TLSv1 but unfortunately he could not recall the exact message. Regards, Gorkem Ates On Thu, Mar 12, 2009 at 6:25 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Does that mean established connections are dropped? Or are connection attempts rejected? Arno, could there be a problem with the avl tree caching class you provided Nothing is impossible ;-) Years ago I tested this class successfully in a MT server, however that does of course not guarantee it's bug-free. If you think it is making the trouble you could switch to OpenSSL's own session caching. However, if I were you I would try to reproduce the issue in order to find out what actually goes wrong. --have you recently fixed any issues? No, just one or two minor Unicode changes last year. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- Gorkem Ates Fastream Technologies Software IQ: Innovation Quality www.fastream.com | Email: supp...@fastream.com | Tel: +90-312-223-2830 | MSN: g_a...@hotmail.com Join IQWF Server Yahoo group at http://groups.yahoo.com/group/IQWFServer Join IQ Reverse Proxy Yahoo group at http://groups.yahoo.com/group/IQReverseProxy -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there anybody facing problems with HTTPS server, on SSL port?
Fastream Technologies wrote: Hello, Seems that the connections are rejected. I am using TSslContext options to set ssl version and the customer disabled SSLv2. He says IE and FF on Win. gave general SSL errors yet Opera on Blackberry complained about TLSv1 but unfortunately he could not recall the exact message. Provided SSLv2 is correctly disabled in your code (we discussed this topic multiple times in the ICS-SSL list, AFAIR), I would search the newer OpenSSL change logs first since this _might be a known or fixed SSL handshake issue in OpenSSL (rather unlikely, though). The worst case with session caching _should be no successful hits on lookups, which indeed was slower than no session caching. -- Arno Garrels Regards, Gorkem Ates On Thu, Mar 12, 2009 at 6:25 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: Hello, Our customer complains that when they run it for some time, only the ssl ports get stuck and reset connections. Does that mean established connections are dropped? Or are connection attempts rejected? Arno, could there be a problem with the avl tree caching class you provided Nothing is impossible ;-) Years ago I tested this class successfully in a MT server, however that does of course not guarantee it's bug-free. If you think it is making the trouble you could switch to OpenSSL's own session caching. However, if I were you I would try to reproduce the issue in order to find out what actually goes wrong. --have you recently fixed any issues? No, just one or two minor Unicode changes last year. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- Gorkem Ates Fastream Technologies Software IQ: Innovation Quality www.fastream.com | Email: supp...@fastream.com | Tel: +90-312-223-2830 | MSN: g_a...@hotmail.com Join IQWF Server Yahoo group at http://groups.yahoo.com/group/IQWFServer Join IQ Reverse Proxy Yahoo group at http://groups.yahoo.com/group/IQReverseProxy -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be