Thanks Juan for your response. Appreciate it.
But for some reason still, I am facing the same SSL handshake failed (5).
Could you please check this configuration and let me know the issue in my
ovirt engine environment.

*Configuration of Apache server:*

1) httpd version,

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Oct 19 2017 20:39:16

2) I checked the status using the following command,

# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor
preset: disabled)
   Active: active (running) since Wed 2018-03-07 23:46:32 IST; 1min 55s ago
     Docs: man:httpd(8)
  Process: 4351 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
 Main PID: 4359 (httpd)
   Status: "Total requests: 264; Current requests/sec: 0.1; Current
traffic: 204 B/sec"
   CGroup: /system.slice/httpd.service
           ├─4359 /usr/sbin/httpd -DFOREGROUND
           ├─4360 /usr/sbin/httpd -DFOREGROUND
           ├─4362 /usr/sbin/httpd -DFOREGROUND
           ├─5100 /usr/sbin/httpd -DFOREGROUND
           ├─5386 /usr/sbin/httpd -DFOREGROUND
           ├─5415 /usr/sbin/httpd -DFOREGROUND
           └─5416 /usr/sbin/httpd -DFOREGROUND

3) Since the httpd is pointing to the path :

vi /usr/lib/systemd/system/httpd.service

Description=The Apache HTTP Server

ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to
# httpd time to finish.


4) As per the above command I found the env file is available

vi /etc/sysconfig/httpd

# This file can be used to set additional environment variables for
# the httpd process, or pass additional options to the httpd
# executable.
# Note: With previous versions of httpd, the MPM could be changed by
# editing an "HTTPD" variable here.  With the current version, that
# variable is now ignored.  The MPM is a loadable module, and the
# choice of MPM can be changed by editing the configuration file

# To pass additional options (for instance, -D definitions) to the
# httpd binary at startup, set OPTIONS here.

# This setting ensures the httpd process is started in the "C" locale
# by default.  (Some modules will not behave correctly if
# case-sensitive string comparisons are performed in a different
# locale.)

5) As per the above command, I found that the conf fileis available in the
path : /etc/httpd/conf.modules.d/00-mpm.conf

vi /etc/httpd/conf.modules.d/00-mpm.conf

# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:

# prefork MPM: Implements a non-threaded, pre-forking web server
# See:
#LoadModule mpm_prefork_module modules/

# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See:
LoadModule mpm_worker_module modules/

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See:
#LoadModule mpm_event_module modules/

<IfModule mpm_worker_module>
   ServerLimit 1000
   MaxRequestWorkers 1000

As per your comment, I enabled the 'LoadModule mpm_worker_module
modules/' with the ServerLimit and MaxRequestWorkers as
1000 still I am facing the issue for the following command in apache
benchmark test.

Completed 100 requests
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).

NOTE : It always scales when I have concurrent request below 400

What is wrong in this apache configuration, why SSL handshake is failing
for concurrent request above 400 ?


On Wed, Mar 7, 2018 at 9:20 PM, Juan Hernández <> wrote:

> It means that with the default configuration the Apache web server can't
> serve more than 256 concurrent connections. This applies to any application
> that uses Apache as the web frontend, not just to oVirt. If you want to
> change that you have to change the MaxRequestWorkers and ServerLimit
> parameters, as explained here:
> So, go to your oVirt engine machine and create a /etc/httpd/conf.d/my.conf
> file with this content:
>   MaxRequestWorkers 1000
>   ServerLimit 1000
> Then restart the Apache server:
>   # systemctl restart httpd
> Then your web server should be able to handle 1000 concurrent requests,
> and you will probably start to find other limits, like the amount of memory
> and CPU that those 1000 Apache child processes will consume, the number of
> threads in the JBoss application server, the number of connections to the
> database, etc.
> Let me insist a bit that if you base your benchmark solely on the number
> of concurrent requests or connections that the server can handle you may
> end up with meaningless results, as a real world application can/should use
> the server much better than that.
> On 03/07/2018 04:33 PM, Hari Prasanth Loganathan wrote:
>> With the default configuration of the web server it is impossible to
>> handle
>> more than 256 *connections* simultaneously. I guess that "ab" is opening a
>> connection for each concurrent request, so when you reach request 257 the
>> web server will just reject the connection, there is nothing that the
>> JBoss
>> can do about it; you have to increase the number of connections supported
>> by the web server.
>> *So Does it mean that oVirt cannot serve more than 257 request? *
>> My question is, If its possible How to scale this and what is the
>> configuration we need to change?
>> Also, we are taking a benchmark in using oVirt, So I need to find the
>> maximum possible oVirt request. So please let me know the configuration
>> tuning for oVirt to achieve maximum concurrent request.
>> Thanks,
>> Hari
>> On Wed, Mar 7, 2018 at 7:25 PM, Juan Hernández <>
>> wrote:
>> With the default configuration of the web server it is impossible to
>>> handle more than 256 *connections* simultaneously. I guess that "ab" is
>>> opening a connection for each concurrent request, so when you reach
>>> request
>>> 257 the web server will just reject the connection, there is nothing that
>>> the JBoss can do about it; you have to increase the number of connections
>>> supported by the web server.
>>> Or else you may want to re-consider why you want to use 1000 simultaneous
>>> connections. It may be OK for a performance test, but there are better
>>> ways
>>> to squeeze performance. For example, you could consider using HTTP
>>> pipelining, which is much more friendly for the server than so many
>>> connections. This is what we use when we need to send a large number of
>>> requests from other systems. There are examples of how to do that with
>>> the
>>> Python and Ruby SDKs here:
>>>    Python:
>>> examples/
>>>    Ruby:
>>> sdk/examples/asynchronous_inventory.rb
>>> On 03/07/2018 02:43 PM, Hari Prasanth Loganathan wrote:
>>> Hi Juan,
>>>> Thanks for the response.
>>>> I agree web server can handle only limited number of concurrent
>>>> requests.
>>>> But Why it is failing with SSL handshake failure for few requests, Can't
>>>> the JBOSS wait and serve the request? We can spare the delay but not
>>>> with
>>>> the request fails. So Is there a configuration in oVirt which can be
>>>> tuned
>>>> to achieve this?
>>>> Thanks,
>>>> Hari
>>>> On Wed, Mar 7, 2018 at 7:05 PM, Juan Hernández <>
>>>> wrote:
>>>> The first thing you will need to change for such a test is the number of
>>>>> simultaneous connections accepted by the Apache web server: by default
>>>>> the
>>>>> max is 256. See the Apache documentation here:
>>>>> axrequestworkers
>>>>> In addition I also suggest that you consider using the "worker"
>>>>> multi-processing module instead of the "prefork", as it usually works
>>>>> better when talking to a Java application server, because it re-uses
>>>>> connections better.
>>>>> On 03/07/2018 02:20 PM, Hari Prasanth Loganathan wrote:
>>>>> Hi Team,
>>>>>> *Description of problem:*
>>>>>> I am trying to achieve 1000 concurrent request to oVirt. What are the
>>>>>> tunable parameters to achieve this?
>>>>>> I tried to perform the benchmarking for ovirt engine using Apache
>>>>>> benchmark
>>>>>> using the same SSO token.
>>>>>> ab -n 1000 -c 500 -k -H "accept: application/json" -H "Authorization:
>>>>>> Bearer SSOTOKEN"
>>>>>> <
>>>>>> b-9ff1-076fc07ebf50/statistics>
>>>>>> When the number of concurrent request is 500, we are getting more than
>>>>>> 100
>>>>>> failures with the following error,
>>>>>> SSL read failed (1) - closing connection
>>>>>> 139620982339352:error:
>>>>>> NOTE: It is scaling for concurrent request below 500.
>>>>>> I used the profiler to get the memory and CPU and it seems very less,
>>>>>>      PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+
>>>>>> COMMAND
>>>>>> 30413 ovirt     20   0 4226664 882396   6776 S 126.0 23.0  27:48.53
>>>>>> java
>>>>>> Configuration of the machine in which Ovirt is deployed :
>>>>>> RAM - 4GB,
>>>>>> Hard disk - 100GB,
>>>>>> core processor - 2,
>>>>>> OS - Cent7.x.
>>>>>> In which 2GB is allocated to oVirt.
>>>>>> Version-Release number of selected component (if applicable):
>>>>>> 4.2.2
>>>>>> How reproducible:
>>>>>> If the number of concurrent requests are above 500, we are easily
>>>>>> facing
>>>>>> this issue.
>>>>>> *Actual results:*
>>>>>> SSL read failed (1) - closing connection
>>>>>> 139620982339352:error:
>>>>>> *Expected results:*
>>>>>> Request success.
>>>>>> Thanks,
>>>>>> Hari
>>>>>> _______________________________________________
>>>>>> Users mailing list



The information in this e-mail is confidential and may be subject to legal 
privilege. It is intended solely for the addressee. Access to this e-mail 
by anyone else is unauthorized. If you have received this communication in 
error, please address with the subject heading "Received in error," send to,  then delete the e-mail and destroy any copies of 
it. If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it, 
is prohibited and may be unlawful. The views, opinions, conclusions and 
other information expressed in this electronic mail and any attachments are 
not given or endorsed by the company unless otherwise indicated by an 
authorized representative independent of this message.
MSys cannot guarantee that e-mail communications are secure or error-free, 
as information could be intercepted, corrupted, amended, lost, destroyed, 
arrive late or incomplete, or contain viruses, though all reasonable 
precautions have been taken to ensure no viruses are present in this e-mail. 
As our company cannot accept responsibility for any loss or damage arising 
from the use of this e-mail or attachments we recommend that you subject 
these to your virus checking procedures prior to use
Users mailing list

Reply via email to