[rabbitmq-discuss] Client connection to ssl rabbitMQ is very slow
Carl Hörberg
carl.hoerberg at gmail.com
Thu Apr 5 08:10:15 BST 2012
the DHE key exchange algorithm is very computational intensive, so
make sure you disable it (http://matt.io/entry/ur)
this config allows only the AES 128 chiper with RSA (and not DHE) as
key exchange and SHA as hash algoritm (md5 is somewhat weaker but
faster):
{ssl_options, [{cacertfile,"/etc/rabbitmq/ca.pem"},
{certfile,"/etc/rabbitmq/cert.pem"},
{ciphers,[{rsa,aes_128_cbc,sha}]}]}
for all options, see http://www.erlang.org/doc/man/ssl.html, as Emile said.
On Wed, Apr 4, 2012 at 12:43, Emile Joubert <emile at rabbitmq.com> wrote:
> Hi,
>
> On 02/04/12 15:26, Rabbit001 wrote:
>> I've follow the ssl configuration instructions in rabbitmq page
>> 'www.rabbitmq.com/ssl.html' to configure ssl access to rabbitmq server. I've
>> started rabbitmq server correctly and I've executed the example1 (sample
>> code for ssl java client) and the result is good, but the method
>> factory.newConnection() finish over 5sg. In the other hand, without ssl the
>> method factory.newConnection() finish in <200 ms.
>>
>> How do i increasse the performance in the first scenario (ssl
>> configuration)? any idea?
>
> If your broker CPU has hardware support for certain ciphers and OpenSSL
> can make use of it then try to restrict the SSL connection to those
> ciphers, or to prioritise them. The "ciphers" SSL configuration option
> in the broker is one way of achieving that. For configuration details
> see http://www.erlang.org/doc/man/ssl.html
>
> You might also gain some useful insight by using an SSL traffic analyser
> such as "ssldump". If long gaps appear in the timeline then the output
> may help you to determine what is responsible for the delay.
>
> Do other SSL clients also take long to connect? Try using the "openssl
> s_client" option as described here:
> http://www.rabbitmq.com/troubleshooting-ssl.html
> and check whether such connections also take long.
>
> Does the Java client take long to connect when the SSL layer is provided
> by a different SSL service? You can try this by connecting to the broker
> via stunnel, socat or similar.
>
> The last two questions may help you to focus on whether the problem lies
> on the client or server side.
>
>
> -Emile
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
More information about the rabbitmq-discuss
mailing list