From: ke h. <ke...@re...> - 2006-08-28 10:33:48
|
I'm about to develop a yaws app which will serve most of its pages as as HTTPS. Pretty much everything expect the home page. I would like to know any concerns/limitations of the underlying SSL used by Yaws. I have seen old erlang maillist posts such as: http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html This post seem to indicate the issue is needing to tune erlang to handle a large number of sockets. Anything else I should know about for handling large numbers of HTTPS requests? thanks, ke han |
From: <kl...@ta...> - 2006-08-28 12:20:09
|
ke han wrote: > I'm about to develop a yaws app which will serve most of its pages as > as HTTPS. Pretty much everything expect the home page. > I would like to know any concerns/limitations of the underlying SSL > used by Yaws. > I have seen old erlang maillist posts such as: > http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html > > This post seem to indicate the issue is needing to tune erlang to > handle a large number of sockets. > Anything else I should know about for handling large numbers of HTTPS > requests? > The OTP SSL implementation isn't the best in town. It's ok but it has had a number of obscure bugs over the years. we've built several high traffic SSL sites with yaws + ssl and also submitted a number of small but crucial ssl bugfixes to the otp group. As it stands now, all should be ok. As for that old post that had FD_SETSIZE set to 256, it doesn't sound really up to date. Also, looking at the code in esock_poll.c it seems as if OTP ssl now use poll instead of select() so, the number of SSL sockets should really be limited by the max num open fds for that unix process which is tunable to very high number in most modern unices. /klacke -- Claes Wikstrom -- Caps lock is nowhere and http://www.tail-f.com -- everything is under control cellphone: +46 70 2097763 |
From: ke h. <ke...@re...> - 2006-08-29 04:13:29
|
thanks Claes... thats just the kind of confident response I was hoping for ;-).. BTW, I listened to your BSD radio interview...glad to hear yaws =20 getting the word out to the masses. If you can call the BSD =20 community massive...all is relative when your sitting on an erlang =20 rock. ;-) The most important thing I learned from the audiocast is that Claes =20 is not pronounced "Claws". I doubt I can yet pronounce your name =20 correctly, but I do know that "Claws" isn't correct ;-) thanks again, ke han On Aug 28, 2006, at 8:20 PM, Claes Wikstr=F6m wrote: > ke han wrote: >> I'm about to develop a yaws app which will serve most of its pages =20= >> as as HTTPS. Pretty much everything expect the home page. >> I would like to know any concerns/limitations of the underlying =20 >> SSL used by Yaws. >> I have seen old erlang maillist posts such as: >> http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html >> This post seem to indicate the issue is needing to tune erlang to =20= >> handle a large number of sockets. >> Anything else I should know about for handling large numbers of =20 >> HTTPS requests? > > The OTP SSL implementation isn't the best in town. It's ok > but it has had a number of obscure bugs over the years. > we've built several high traffic SSL sites with yaws + ssl > and also submitted a number of small but crucial ssl bugfixes > to the otp group. > > As it stands now, all should be ok. > > As for that old post that had FD_SETSIZE set to 256, it > doesn't sound really up to date. Also, looking at the code > in esock_poll.c it seems as if OTP ssl now use poll instead > of select() so, the number of SSL sockets should really be > limited by the max num open fds for that unix process which > is tunable to very high number in most modern unices. > > > /klacke > > > > --=20 > Claes Wikstrom -- Caps lock is nowhere and > http://www.tail-f.com -- everything is under control > cellphone: +46 70 2097763 |
From: Torbjorn T. <to...@to...> - 2006-08-29 07:01:59
|
ke han wrote: > thanks Claes... > thats just the kind of confident response I was hoping for ;-).. > > BTW, I listened to your BSD radio interview...glad to hear yaws > getting the word out to the masses. If you can call the BSD > community massive...all is relative when your sitting on an erlang > rock. ;-) > The most important thing I learned from the audiocast is that Claes > is not pronounced "Claws". I doubt I can yet pronounce your name > correctly, but I do know that "Claws" isn't correct ;-) > thanks again, ke han He he, that was funny :-) "Claws the maker of Yaws!" --Tobbe > > > On Aug 28, 2006, at 8:20 PM, Claes Wikström wrote: > >> ke han wrote: >>> I'm about to develop a yaws app which will serve most of its pages >>> as as HTTPS. Pretty much everything expect the home page. >>> I would like to know any concerns/limitations of the underlying >>> SSL used by Yaws. >>> I have seen old erlang maillist posts such as: >>> http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html >>> This post seem to indicate the issue is needing to tune erlang to >>> handle a large number of sockets. >>> Anything else I should know about for handling large numbers of >>> HTTPS requests? >> The OTP SSL implementation isn't the best in town. It's ok >> but it has had a number of obscure bugs over the years. >> we've built several high traffic SSL sites with yaws + ssl >> and also submitted a number of small but crucial ssl bugfixes >> to the otp group. >> >> As it stands now, all should be ok. >> >> As for that old post that had FD_SETSIZE set to 256, it >> doesn't sound really up to date. Also, looking at the code >> in esock_poll.c it seems as if OTP ssl now use poll instead >> of select() so, the number of SSL sockets should really be >> limited by the max num open fds for that unix process which >> is tunable to very high number in most modern unices. >> >> >> /klacke >> >> >> >> -- >> Claes Wikstrom -- Caps lock is nowhere and >> http://www.tail-f.com -- everything is under control >> cellphone: +46 70 2097763 > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 |
From: Matthew R. <mat...@si...> - 2006-08-29 06:01:44
|
There is a SSL issue I have discovered. The Erlang/OTP http parser can only handle HTTP headers of at most 1024 characters per line. This becomes an issue when there a client is passing in large cookies. The reason is that the Erlang/OTP R10 http parser uses a default 1024 byte buffer for parsing lines (OTP R11 has a it larger default buffer size about 1400 bytes). This only affects https and not http, since yaws sets a larger buffer size for unencrypted TCP connections. Unfortunately though, the SSL interface does not allow the buffer size to be set or changed. :( If you think this may be a problem, here is one fix: In the Erlang/OTP source directory, edit the file: ./erts/emulator/drivers/common/inet_drv.c Change #define INET_DEF_BUFFER 1024 /* default buffer size */ To: #define INET_DEF_BUFFER (1024*8) /* default buffer size */ Then recompile Erlang/OTP and re-install. Matt Reilly SIPphone Inc. ke han wrote: > thanks Claes... > thats just the kind of confident response I was hoping for ;-).. > > BTW, I listened to your BSD radio interview...glad to hear yaws > getting the word out to the masses. If you can call the BSD > community massive...all is relative when your sitting on an erlang > rock. ;-) > The most important thing I learned from the audiocast is that Claes > is not pronounced "Claws". I doubt I can yet pronounce your name > correctly, but I do know that "Claws" isn't correct ;-) > thanks again, ke han > > > On Aug 28, 2006, at 8:20 PM, Claes Wikström wrote: > >> ke han wrote: >>> I'm about to develop a yaws app which will serve most of its pages >>> as as HTTPS. Pretty much everything expect the home page. >>> I would like to know any concerns/limitations of the underlying >>> SSL used by Yaws. >>> I have seen old erlang maillist posts such as: >>> http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html >>> This post seem to indicate the issue is needing to tune erlang to >>> handle a large number of sockets. >>> Anything else I should know about for handling large numbers of >>> HTTPS requests? >> The OTP SSL implementation isn't the best in town. It's ok >> but it has had a number of obscure bugs over the years. >> we've built several high traffic SSL sites with yaws + ssl >> and also submitted a number of small but crucial ssl bugfixes >> to the otp group. >> >> As it stands now, all should be ok. >> >> As for that old post that had FD_SETSIZE set to 256, it >> doesn't sound really up to date. Also, looking at the code >> in esock_poll.c it seems as if OTP ssl now use poll instead >> of select() so, the number of SSL sockets should really be >> limited by the max num open fds for that unix process which >> is tunable to very high number in most modern unices. >> >> >> /klacke >> >> >> >> -- >> Claes Wikstrom -- Caps lock is nowhere and >> http://www.tail-f.com -- everything is under control >> cellphone: +46 70 2097763 > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Erlyaws-list mailing list > Erl...@li... > https://lists.sourceforge.net/lists/listinfo/erlyaws-list > |
From: ke h. <ke...@re...> - 2006-08-29 06:43:59
|
thanks for the info..hopefully, I can keep my cookies small ;-) If not, I'll keep your fix tagged so I can use it if necessary. ke han On Aug 29, 2006, at 2:01 PM, Matthew Reilly wrote: > There is a SSL issue I have discovered. The Erlang/OTP http parser can > only handle HTTP headers of at most 1024 characters per line. This > becomes an issue when there a client is passing in large cookies. > > The reason is that the Erlang/OTP R10 http parser uses a default 1024 > byte buffer for parsing lines (OTP R11 has a it larger default buffer > size about 1400 bytes). > > This only affects https and not http, since yaws sets a larger buffer > size for unencrypted TCP connections. Unfortunately though, the SSL > interface does not allow the buffer size to be set or changed. :( > > If you think this may be a problem, here is one fix: > > In the Erlang/OTP source directory, edit the file: > ./erts/emulator/drivers/common/inet_drv.c > Change > #define INET_DEF_BUFFER 1024 /* default buffer size */ > To: > #define INET_DEF_BUFFER (1024*8) /* default buffer =20 > size */ > > Then recompile Erlang/OTP and re-install. > > Matt Reilly > SIPphone Inc. > > > > > ke han wrote: >> thanks Claes... >> thats just the kind of confident response I was hoping for ;-).. >> >> BTW, I listened to your BSD radio interview...glad to hear yaws >> getting the word out to the masses. If you can call the BSD >> community massive...all is relative when your sitting on an erlang >> rock. ;-) >> The most important thing I learned from the audiocast is that Claes >> is not pronounced "Claws". I doubt I can yet pronounce your name >> correctly, but I do know that "Claws" isn't correct ;-) >> thanks again, ke han >> >> >> On Aug 28, 2006, at 8:20 PM, Claes Wikstr=F6m wrote: >> >>> ke han wrote: >>>> I'm about to develop a yaws app which will serve most of its pages >>>> as as HTTPS. Pretty much everything expect the home page. >>>> I would like to know any concerns/limitations of the underlying >>>> SSL used by Yaws. >>>> I have seen old erlang maillist posts such as: >>>> http://erlang.org/ml-archive/erlang-questions/200311/msg00252.html >>>> This post seem to indicate the issue is needing to tune erlang to >>>> handle a large number of sockets. >>>> Anything else I should know about for handling large numbers of >>>> HTTPS requests? >>> The OTP SSL implementation isn't the best in town. It's ok >>> but it has had a number of obscure bugs over the years. >>> we've built several high traffic SSL sites with yaws + ssl >>> and also submitted a number of small but crucial ssl bugfixes >>> to the otp group. >>> >>> As it stands now, all should be ok. >>> >>> As for that old post that had FD_SETSIZE set to 256, it >>> doesn't sound really up to date. Also, looking at the code >>> in esock_poll.c it seems as if OTP ssl now use poll instead >>> of select() so, the number of SSL sockets should really be >>> limited by the max num open fds for that unix process which >>> is tunable to very high number in most modern unices. >>> >>> >>> /klacke >>> >>> >>> >>> --=20 >>> Claes Wikstrom -- Caps lock is nowhere and >>> http://www.tail-f.com -- everything is under control >>> cellphone: +46 70 2097763 >> >> >> ---------------------------------------------------------------------=20= >> ---- >> Using Tomcat but need to do more? Need to support web services, =20 >> security? >> Get stuff done quickly with pre-integrated technology to make your =20= >> job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache =20 >> Geronimo >> http://sel.as-us.falkag.net/sel?=20 >> cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D121642 >> _______________________________________________ >> Erlyaws-list mailing list >> Erl...@li... >> https://lists.sourceforge.net/lists/listinfo/erlyaws-list >> > > > ----------------------------------------------------------------------=20= > --- > Using Tomcat but need to do more? Need to support web services, =20 > security? > Get stuff done quickly with pre-integrated technology to make your =20 > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache =20 > Geronimo > http://sel.as-us.falkag.net/sel?=20 > cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D121642 > _______________________________________________ > Erlyaws-list mailing list > Erl...@li... > https://lists.sourceforge.net/lists/listinfo/erlyaws-list |