Hello,
We decided to use pound for doing an SSL reverse proxy with client
certificate auth. But i'm facing a performance problem with the use of
ClientCert directive.
When this directive is commented the time to answer the request is
slightly less than then the directive is added :
i used the following command in order to test :
curl -v -w "total:%{time_total} conn:%{time_connect} dns:%
{time_namelookup} pre:%{time_pretransfer} start:%{time_starttransfer}
\nsize:%{size_download} speed:%{speed_download}\n" -o /dev/null --
cacert /path/to/cacert.pem --cert /path/to/client-cert-wo-
passphrase.pem "https://someserver/test.php4" 2>
/dev/null
and the results are below :
ClientCert 2 1 + client certificat : total:0,440
conn:0,002 dns:0,001 pre:0,437 start:0,440
ClientCert 1 1 + client certificat : total:0,471 conn:0,002
dns:0,001 pre:0,462 start:0,471
ClientCert 3 1 + client certificat : total:0,452 conn:0,002
dns:0,001 pre:0,447 start:0,452
ClientCert 2 1 + libhoard : total:0,469 conn:0,002 dns:0,001
pre:0,445 start:0,468
ClientCert 2 1 + --with-maxbuf=4096 : total:0,635 conn:0,006
dns:0,001 pre:0,623 start:0,635
wo ClientCert and certificate : total:0,189 conn:
0,002 dns:0,001 pre:0,186 start:0,189
same url in http : total:0,003
conn:0,001 dns:0,000 pre:0,001 start:0,003
As you can see, we tried a lot of combinations.
/var/log/messages shows messages that i think may be related to that
problem :
May 16 18:09:56 someserver pound: (779ddbb0) line too long: C
= FR, ST = Bouches-du-Rhone, L = Marseille, O = MYCOMPANY, OU = SI, CN
= devs, emailAddress = devs(at)MYCOMPANY.com
May 16 18:09:56 someserver pound: (779ddbb0) line too long: C
= FR, ST = Bouches-du-Rhone, L = Marseille, O = MYCOMPANY, OU = SI, CN
= MYCOMPANY-PP, emailAddress = si(at)MYCOMPANY.com
May 16 18:09:56 someserver pound: (779ddbb0) line too long: Apr 14
15:17:53 2008 GMT
May 16 18:09:56 someserver pound: (779ddbb0) line too long: Apr 11
15:17:53 2018 GMT
May 16 18:09:56 someserver pound: 10.33.6.8 GET /test.php4 HTTP/1.1 -
HTTP/1.1 200 OK
Some posts i found sugested me to change the MAXBUF value in pound.h
but nothing change after that.
The file test.php4 is a small PHP code of 3 lines that outputs "YES".
Getting this url through pound and SSL is 50 times slower than in
simple HTTP, and worst using the directive ClientCert makes it 150
times slower.
Does someone have an way to fix this ? Pound seems a great product for
me except this performance problem.
Here is my config file :
## Minimal sample pound.cfg
##
## see pound(8) for details
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogFacility syslog
LogLevel 1
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine "<hw>"
######################################################################
## listen, redirect and ... to:
ListenHTTPS
Address 10.99.0.1
Port 443
Cert "/opt/pound/etc/ssl/POUND.pem"
CAlist "/opt/pound/etc/ssl/MYCOMPANY-cacert.pem"
VerifyList "/opt/pound/etc/ssl/MYCOMPANY-cacert.pem"
CRLlist "/opt/pound/etc/ssl/MYCOMPANY-CRL.pem"
ClientCert 2 1
Service
Backend
Address 192.168.0.1
Port 80
End
End
End
Pound is version 2.4.2 compiled from sources and installed on a debian
sarge on poweredge 2950 bi-processor with 4Gb RAM
|
