[rabbitmq-discuss] Client connection to ssl rabbitMQ is very slow

Rabbit001 rcrespopanizo at gmail.com
Mon Apr 9 08:23:00 BST 2012


Hi Carl,

I follow your instructions and I've modified rabbitmq.config and put
{ciphers,[{rsa,aes_128_cbc,sha}]}. The server starts correctly but my client
display this error,

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(10000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1317113069 bytes = { 232, 24, 48, 31, 62, 172, 47, 240,
38, 205, 140, 162, 102, 226, 22, 0, 240, 6, 93, 111, 113, 187, 44, 85, 132,
255, 0, 48 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, waiting for close_notify or alert: state 1
main, Exception while waiting for close java.net.SocketException: Connection
reset
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Connection reset by
peer: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(Unknown Source)
	at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
	at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(Unknown Source)
	at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.kickstart(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.kickstartHandshake(Unknown
Source)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
	at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
	at java.io.BufferedOutputStream.flush(Unknown Source)
	at java.io.DataOutputStream.flush(Unknown Source)
	at
com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:121)
	at
com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:126)
	at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:287)
	at
com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:516)
	at
com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:533)
	at mediapost.tests.RabbitMQSSLSample.main(RabbitMQSSLSample.java:24)

Any idea?

Best Regards,


Carl Hörberg wrote:
> 
> the DHE key exchange algorithm  is very computational intensive, so
> make sure you disable it (http://matt.io/entry/ur)
> 
> this config allows only the AES 128 chiper with RSA (and not DHE) as
> key exchange and SHA as hash algoritm (md5 is somewhat weaker but
> faster):
> 
> {ssl_options, [{cacertfile,"/etc/rabbitmq/ca.pem"},
>                     {certfile,"/etc/rabbitmq/cert.pem"},
>                     {ciphers,[{rsa,aes_128_cbc,sha}]}]}
> 
> for all options, see http://www.erlang.org/doc/man/ssl.html, as Emile
> said.
> 
> On Wed, Apr 4, 2012 at 12:43, Emile Joubert <emile at rabbitmq.com> wrote:
>> Hi,
>>
>> On 02/04/12 15:26, Rabbit001 wrote:
>>>   I've follow the ssl configuration instructions in rabbitmq page
>>> 'www.rabbitmq.com/ssl.html' to configure ssl access to rabbitmq server.
>>> I've
>>> started rabbitmq server correctly and I've executed the example1 (sample
>>> code for ssl java client) and the result is good, but the method
>>> factory.newConnection() finish over 5sg. In the other hand, without ssl
>>>  the
>>> method factory.newConnection() finish in <200 ms.
>>>
>>>   How do i increasse the performance in the first scenario (ssl
>>> configuration)? any idea?
>>
>> If your broker CPU has hardware support for certain ciphers and OpenSSL
>> can make use of it then try to restrict the SSL connection to those
>> ciphers, or to prioritise them. The "ciphers" SSL configuration option
>> in the broker is one way of achieving that. For configuration details
>> see http://www.erlang.org/doc/man/ssl.html
>>
>> You might also gain some useful insight by using an SSL traffic analyser
>> such as "ssldump". If long gaps appear in the timeline then the output
>> may help you to determine what is responsible for the delay.
>>
>> Do other SSL clients also take long to connect? Try using the "openssl
>> s_client" option as described here:
>> http://www.rabbitmq.com/troubleshooting-ssl.html
>> and check whether such connections also take long.
>>
>> Does the Java client take long to connect when the SSL layer is provided
>> by a different SSL service? You can try this by connecting to the broker
>> via stunnel, socat or similar.
>>
>> The last two questions may help you to focus on whether the problem lies
>> on the client or server side.
>>
>>
>> -Emile
>>
>>
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> 
> 

-- 
View this message in context: http://old.nabble.com/Client-connection-to-ssl-rabbitMQ-is-very-slow-tp33544994p33654326.html
Sent from the RabbitMQ mailing list archive at Nabble.com.



More information about the rabbitmq-discuss mailing list