[rabbitmq-discuss] Client connection to ssl rabbitMQ is very slow

Rabbit001 rcrespopanizo at gmail.com
Mon Apr 9 08:23:00 BST 2012

Hi Carl,

I follow your instructions and I've modified rabbitmq.config and put
{ciphers,[{rsa,aes_128_cbc,sha}]}. The server starts correctly but my client
display this error,

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(10000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1317113069 bytes = { 232, 24, 48, 31, 62, 172, 47, 240,
38, 205, 140, 162, 102, 226, 22, 0, 240, 6, 93, 111, 113, 187, 44, 85, 132,
255, 0, 48 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
Compression Methods:  { 0 }
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, waiting for close_notify or alert: state 1
main, Exception while waiting for close java.net.SocketException: Connection
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Connection reset by
peer: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(Unknown Source)
	at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
	at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(Unknown Source)
	at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.kickstart(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.kickstartHandshake(Unknown
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
	at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
	at java.io.BufferedOutputStream.flush(Unknown Source)
	at java.io.DataOutputStream.flush(Unknown Source)
	at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:287)
	at mediapost.tests.RabbitMQSSLSample.main(RabbitMQSSLSample.java:24)

Any idea?

Best Regards,

Carl Hörberg wrote:
> the DHE key exchange algorithm  is very computational intensive, so
> make sure you disable it (http://matt.io/entry/ur)
> this config allows only the AES 128 chiper with RSA (and not DHE) as
> key exchange and SHA as hash algoritm (md5 is somewhat weaker but
> faster):
> {ssl_options, [{cacertfile,"/etc/rabbitmq/ca.pem"},
>                     {certfile,"/etc/rabbitmq/cert.pem"},
>                     {ciphers,[{rsa,aes_128_cbc,sha}]}]}
> for all options, see http://www.erlang.org/doc/man/ssl.html, as Emile
> said.
> On Wed, Apr 4, 2012 at 12:43, Emile Joubert <emile at rabbitmq.com> wrote:
>> Hi,
>> On 02/04/12 15:26, Rabbit001 wrote:
>>>   I've follow the ssl configuration instructions in rabbitmq page
>>> 'www.rabbitmq.com/ssl.html' to configure ssl access to rabbitmq server.
>>> I've
>>> started rabbitmq server correctly and I've executed the example1 (sample
>>> code for ssl java client) and the result is good, but the method
>>> factory.newConnection() finish over 5sg. In the other hand, without ssl
>>>  the
>>> method factory.newConnection() finish in <200 ms.
>>>   How do i increasse the performance in the first scenario (ssl
>>> configuration)? any idea?
>> If your broker CPU has hardware support for certain ciphers and OpenSSL
>> can make use of it then try to restrict the SSL connection to those
>> ciphers, or to prioritise them. The "ciphers" SSL configuration option
>> in the broker is one way of achieving that. For configuration details
>> see http://www.erlang.org/doc/man/ssl.html
>> You might also gain some useful insight by using an SSL traffic analyser
>> such as "ssldump". If long gaps appear in the timeline then the output
>> may help you to determine what is responsible for the delay.
>> Do other SSL clients also take long to connect? Try using the "openssl
>> s_client" option as described here:
>> http://www.rabbitmq.com/troubleshooting-ssl.html
>> and check whether such connections also take long.
>> Does the Java client take long to connect when the SSL layer is provided
>> by a different SSL service? You can try this by connecting to the broker
>> via stunnel, socat or similar.
>> The last two questions may help you to focus on whether the problem lies
>> on the client or server side.
>> -Emile
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

View this message in context: http://old.nabble.com/Client-connection-to-ssl-rabbitMQ-is-very-slow-tp33544994p33654326.html
Sent from the RabbitMQ mailing list archive at Nabble.com.

More information about the rabbitmq-discuss mailing list