Menu
▾
▴
Re: SSL is slow
|
From: <la...@sp...> - 2002-04-16 14:26:58
|
Hi Chris, >> Whilst this is not a problem, it=27s rather slow. After login, everything >> runs pretty fast, but it does take quite a while to login. >About the first thing that happens on a TLS connection is a crypto >=22handshake=22, and it sounds like this is what is being slow for you. > >Common reasons for that are that the client wants a different strength >symmetric key than the server has, so the server has to generate a new one >for you. (Something like that anyway, my memory is pretty hazy.) So check >what key lengths and algorithms you=27re asking for, and what the server >supports. > >You can run the openssl s_client program in verbose/debug mode to find out >what the server=27s advertising, which might help. Tried that - but the only extra output I get from the =27-debug=27 option is a hex dump thatReceived: from Skjaerlund-MTA by porter.spinn.dk I unfortunately don=27t know how to interpret ;-). However, I=27ve come as far as this: Running =27openssl s_client=27 against the LDAP server produces output rather quickly - and has done it al the time. Just running the s_client produces an error, though, that the server certificate isn=27t trusted. I eventually figured out how to handle this, and I can now connect to the server with a trusted CA and no errors. I thought that maybe the error might delay Perl::LDAP - but no: My newly generated CA certificate does work with Perl - I can require verification and still connect - but the long delay hasn=27t gone. So: How do one decipher the hex dump and find out about the key sizes? I=27ve tried a lot of other s_client options, but none seems to disclose this information. Regards, Lars Lars Skj=E6rlund, Network Consultant, Spinn International ApS Bukkeballevej 30, 2960 Rungsted Kyst, Denmark Tel.: +45 70 25 88 10, Fax: +45 70 25 88 44 Mail: lars=40spinn.dk Web: http://www.spinn.dk -- |
