-
1. Re: Wildfly Undertow SSL performance issue
ctomc Mar 4, 2014 11:54 AM (in response to guglielmo.moretti)You 100% sure problem is in SSL/Web layer?
As that big time difference would suggest issue in WSDL processing trying to resolve some XSDs from web...
can you try profiling application/server to see where exactly is time spent?
-
2. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 4, 2014 3:34 PM (in response to ctomc)No, I'm not 100% sure... this was my first thought.
The ws code is exactly the same, I don't see why now I'm getting this strange behaviour.
Would you be so kind to provide me hints on how to activate specific logging for debugging CXF internal code so that I'll try to figure out the problem (if it's there) ?
Thanks
Guglielmo
-
3. Re: Wildfly Undertow SSL performance issue
fabrizio.benedetti Mar 7, 2014 6:11 AM (in response to guglielmo.moretti)I have a similar configuration and if I launch openssl client (openssl s_client -connect localhost:8443), the very first request remains locked for many seconds before receiving a response. Subsequent requests are fast. It seems to be a generic Undertow SSL problem, not CXF
-
4. Re: Wildfly Undertow SSL performance issue
ctomc Mar 7, 2014 11:13 AM (in response to fabrizio.benedetti)Can you reproduce this when serving simple static content, for example file from welcome-content, aka default page we have?
-
5. Re: Wildfly Undertow SSL performance issue
ctomc Mar 7, 2014 11:14 AM (in response to ctomc)Btw guys what is exact the JDK / OS you are using?
-
6. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 8, 2014 6:30 AM (in response to ctomc)I' running Windows 7 using jdk 1.7.0_40
I'll try to give you timings before monday if I can!
Thanks
-
7. Re: Wildfly Undertow SSL performance issue
fabrizio.benedetti Mar 10, 2014 7:59 AM (in response to guglielmo.moretti)It seems that this behaviour happens with DSA 1024bit self-signed keys.
With DSA 2048bit keys it works perfectly.
-
8. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 26, 2014 12:55 PM (in response to guglielmo.moretti)ctomc , fabrizio.benedetti Sorry for the late answer but I found the problem.
Foreword:
This problem applies only using Wildfly 8 Final, using JBoss AS 7.1 no problem happens
- I've used a RSA 2048 bits key for my certificate (thye same for both JBoss and Wildfly).
- I've tried both under Windows 7 and Ubuntu 12.04 LTS using JDK 1.7.0_40
The problem, in my case, was not related to the SSL Layer itself but was about DNS Name Resolution.
I was trying to communicate with a custom device (400Mhz CPU and 128MB RAM) running Linux and OpenSSL 0.9.5.
In every try, I issued the following command to check the SSL connection:
openssl s_client -connect <ip>:443 -debug
I've also tried to use another embedded device running CentOS 6.5 and OpenSSL 1.0.1e-fips. With this one no problem happens neither with Wildfly 8 nor JBoss AS 7.1.
To test the connection I used Wireshark and this is the result, a name resolution query has been issued by the server but failed...
Using JBoss AS 7 no DNS resolution query get issued and evertyhing goes fine, as shown below (JBoss is set to use JSSE, no native Tomcat Connectors):
Forcing name resolution using windows hosts file, obviously, solved the issue.
Who issues that DNS Query?
I've heard about a problem in the SSLEngine implementation on the JVM that use Reverse DNS lookup during the handshake.
Is this the case?
Why doesn't it happen on Jboss AS 7?
Thanks in advance to all
Regards
Guglielmo Moretti
-
9. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 26, 2014 4:30 PM (in response to fabrizio.benedetti)i've updated my answer
-
10. Re: Wildfly Undertow SSL performance issue
ctomc Mar 26, 2014 4:49 PM (in response to guglielmo.moretti)Tnx for detailed investigation.
It looks like SSLEngine does lookups based on how it is created.
There are few workarounds how to fix that, can you create jira issue for this in XNIO project https://issues.jboss.org/browse/XNIO
tnx
tomaz
-
11. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 26, 2014 5:30 PM (in response to ctomc)Thanks Tomaz
I'll create an issue in the XNIO project,
in the meantime, could you please tell me which workaround could I use?
Thanks,
Guglielmo
-
12. Re: Wildfly Undertow SSL performance issue
ctomc Mar 26, 2014 5:43 PM (in response to guglielmo.moretti)I worded myself poorly, workarounds are possible in code, aka in xnio itself.
all you could do is to add entry to /etc/hosts
so server would not be timing out trying to resolve himself.
-
13. Re: Wildfly Undertow SSL performance issue
guglielmo.moretti Mar 27, 2014 3:36 AM (in response to ctomc)In fact, that's what i did.
In the meantime I've filed a bug in the XNIO project!
Thanks