We run Pound in a small web cluster for serving an online medical
learning environment for the entire medical degree program, here at
newcastle. Pound works brilliantly.

Recently we've purchased several SSL certificates (from Thawte) for the
above site and others that are hosted on the cluster. We seem to have
hit a bit of a speed-hump, however.

The situation we have is this: 

A Debian/Linux front end load balancer running Pound-1.8, listening on
several interfaces, including two hosts that we have a certificate each
for.

Requests for page content are directed to 1 of 3 backend Zope/ZEO
servers. Certain URL's are sent to a single backend server running
Apache - these are requests for static files, page images, documents,
resources - stuff that we didn't want Zope tying itself up serving (big
powerpoint docs, word files, pdfs, etc).

The problem is that since installing the certificate (installed as a
private key + certificate chain), we are now getting a weird slowdown
with IE based clients.

Connections are made to the site fine, the certificate is accepted
without error. Normal browsing of the SSL sites are fine. However, when
any static files (.doc, .pdf, .ppt etc, but not the images, which are on
every page) are served many, but not all, client machines experience a
slow down of 20 or 30 seconds until the document is opened. The slow
down is not present in non-IE browsers (Firefox, Mozilla, Opera - the
document is always opened instantly). From the logs on the Apache side
of things the files are served in almost exactly the same amount of
time, whether the connection is via non-SSL, self-signed-SSL or
commercial SSL.

However, quite strangely, if I change the certificate to a self signed
version (again, a key + cert chain), the slow-down at the client
dissapears.

The following commands were used to generate both the self signed
certificate, and the request for the Thawte certificate:

openssl genrsa -out $KEYNAME.pem 2048
openssl req -new -key $KEYNAME.pem -out $CERTREQ.csr
openssl req -new -x509 -key $KEYNAME.pem -out $CERTFILE.pem -days 1095

Anyone have any ideas as to why we should get a notable
hang/timeout/slowdown with IE when serving these files, and not from any
other browser?

The big problem is that the campus wide browser is, of course, IE.

-John

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development 
 Faculty of Medical Sciences Computing
 University of Newcastle

 Email : j.p.snowdon(at)ncl.ac.uk

On Wednesday 24 November 2004 16.37, John Snowdon wrote:
> We run Pound in a small web cluster for serving an online medical
> learning environment for the entire medical degree program, here at
> newcastle. Pound works brilliantly.
>
> Recently we've purchased several SSL certificates (from Thawte) for the
> above site and others that are hosted on the cluster. We seem to have
> hit a bit of a speed-hump, however.
>
> The situation we have is this:
>
> A Debian/Linux front end load balancer running Pound-1.8, listening on
> several interfaces, including two hosts that we have a certificate each
> for.
>
> Requests for page content are directed to 1 of 3 backend Zope/ZEO
> servers. Certain URL's are sent to a single backend server running
> Apache - these are requests for static files, page images, documents,
> resources - stuff that we didn't want Zope tying itself up serving (big
> powerpoint docs, word files, pdfs, etc).
>
> The problem is that since installing the certificate (installed as a
> private key + certificate chain), we are now getting a weird slowdown
> with IE based clients.
>
> Connections are made to the site fine, the certificate is accepted
> without error. Normal browsing of the SSL sites are fine. However, when
> any static files (.doc, .pdf, .ppt etc, but not the images, which are on
> every page) are served many, but not all, client machines experience a
> slow down of 20 or 30 seconds until the document is opened. The slow
> down is not present in non-IE browsers (Firefox, Mozilla, Opera - the
> document is always opened instantly). From the logs on the Apache side
> of things the files are served in almost exactly the same amount of
> time, whether the connection is via non-SSL, self-signed-SSL or
> commercial SSL.
>
> However, quite strangely, if I change the certificate to a self signed
> version (again, a key + cert chain), the slow-down at the client
> dissapears.
>
> The following commands were used to generate both the self signed
> certificate, and the request for the Thawte certificate:
>
> openssl genrsa -out $KEYNAME.pem 2048
> openssl req -new -key $KEYNAME.pem -out $CERTREQ.csr
> openssl req -new -x509 -key $KEYNAME.pem -out $CERTFILE.pem -days 1095
>
> Anyone have any ideas as to why we should get a notable
> hang/timeout/slowdown with IE when serving these files, and not from any
> other browser?
>
> The big problem is that the campus wide browser is, of course, IE.
>
> -John

Just guessing, but this is most likely a result of how IE does certificate 
verification. If you have a certificate chain IE may want to verify each 
certificate with the issuer, and that may take a long time. Please check with 
Microsoft for possible solutions, such as caching the intermediate 
certificates, or try using something without a long chain. You may want to 
try a trace on a client machine just to see who it talks to and why.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

An update to this is that we've found that it is only IE machines that
have Office *2003* installed, previous versions, including Office XP,
seem to be unaffected. It really is quite bizarre even the patch levels
of IE on all the machines seem to match.

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development 
 Faculty of Medical Sciences Computing
 University of Newcastle

 Phone : 0191 246 4549
 Email : j.p.snowdon(at)ncl.ac.uk


>-----Original Message-----
>From: Robert Segall [mailto:roseg(at)apsis.ch] 
>Sent: 25 November 2004 11:02
>To: pound(at)apsis.ch
>Subject: Re: SSL Slowdown with IE clients
>
>
>On Wednesday 24 November 2004 16.37, John Snowdon wrote:

[SNIP] ....Lots of stuff about SSL slowdown....

>> Anyone have any ideas as to why we should get a notable
>> hang/timeout/slowdown with IE when serving these files, and 
>not from any
>> other browser?
>>
>> The big problem is that the campus wide browser is, of course, IE.
>>
>> -John
>
>Just guessing, but this is most likely a result of how IE does 
>certificate 
>verification. If you have a certificate chain IE may want to 
>verify each 
>certificate with the issuer, and that may take a long time. 
>Please check with 
>Microsoft for possible solutions, such as caching the intermediate 
>certificates, or try using something without a long chain. You 
>may want to 
>try a trace on a client machine just to see who it talks to and why.

On Thursday 25 November 2004 12.10, John Snowdon wrote:
> An update to this is that we've found that it is only IE machines that
> have Office *2003* installed, previous versions, including Office XP,
> seem to be unaffected. It really is quite bizarre even the patch levels
> of IE on all the machines seem to match.

Could it be that this has something to do with mime types? Once you install 
Office 2003 some additional mime types may be registered with IE and opening 
certain file types may take longer.

Try accessing the same files via plain HTTP just to make sure.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904