[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Slow initial repo access (https method)

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Thu, 21 Apr 2011 12:25:01 +0300

What do you mean by "accessing the repo via IP address"? Without having
read your link, I expect it does a reverse DNS lookup on the client's
address (i.e., the IP address of the box where the working copy
resides), and just accessing the repository as http://192.87.106.227
instead of http://svn.apache.org won't affect that.

The test would be
% ssh svn.apache.org time dig -x '$(echo $SSH_CONNECTION | cut -d " " -f 1)'

(this assumes you have a sh-like, not csh-like, login shell)

Matthew Fletcher wrote on Thu, Apr 21, 2011 at 10:16:29 +0100:
> Hi,
>
> Our IT guys have been quite helpful and checked the DNS setup (and showed it to me), looks fine. A test accessing the repo via IP address gives the same delay.
>
>
> regards
>
> Matthew J Fletcher | Serck Controls | United Kingdom | Lead Software Engineer
> Phone: +44 2476 305050 | Direct Dial: +44 2476 515089
> Email: mfletcher_at_serck-controls.co.uk | Site: www.serck-controls.co.uk | Address: Rowley Drive, Coventry, CV3 4FH, United Kingdom
>
>
>
>
>
> > -----Original Message-----
> > From: Matthew Fletcher
> > Sent: 21 April 2011 09:55
> > To: 'Daniel Shahaf'; users_at_subversion.apache.org
> > Subject: RE: Slow initial repo access (https method)
> >
> >
> > Hi,
> >
> > Nothing as fancy as LDAP, just a basic file.
> >
> > AuthType Basic
> > AuthBasicProvider file
> >
> >
> > I wonder if it could be due to DNS name lookup issues,
> >
> > http://old.nabble.com/Using-SSL-between-Apache-proxy-and-Synap
> > se-causes-consistent-10-second-delay-in-SSL-handshake-td16014406.html
> >
> > "Check if reverse DNS lookups are the same for both
> > production and stating/integration. The 10 second delays are
> > usually caused by reverse lookups when accepting connections,
> > since we try to get the hostname for logging."
> >
> > I will look into that.
> >
> >
> > regards
> >
> > Matthew
> >
> >
> >
> > > -----Original Message-----
> > > From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> > > Sent: 21 April 2011 09:49
> > > To: Matthew Fletcher; users_at_subversion.apache.org
> > > Subject: RE: Slow initial repo access (https method)
> > >
> > > The problem may be not openssl but rather your
> > authentication backend
> > > (as configured in httpd.conf). For example, if you use LDAP
> > > authentication and your LDAP server is slow to respond, that could
> > > account for some seconds' difference.
> > >
> > > On Thu, 21 Apr 2011 09:44 +0100, "Matthew Fletcher"
> > > <MFletcher_at_serck-controls.co.uk> wrote:
> > > >
> > > > Thanks for the info, enabling apache logging i can see
> > > where the pause is comming from,. its between the inital client
> > > connection and granting the access rights to my user.
> > > A full 15 seconds ! This is a fast quad core xeon server as well.
> > > >
> > > > [Thu Apr 21 09:32:30 2011] [info] Connection: Client IP:
> > > > 10.141.81.134, Protocol: TLSv1, Cipher:
> > DHE-RSA-AES256-SHA (256/256
> > > > bits) [Thu Apr 21 09:32:45 2011] [info] [client
> > > 10.141.81.134] Access
> > > > granted: 'MFletcher' OPTIONS Play:/
> > > >
> > > > How do i go about finding out why its taking so long to do
> > > the inital https / SSL stuff before granting access ? I
> > realise this
> > > crosses the boundary between SVN/apache/OpenSSL so it might
> > be tricky.
> > > >
> > > >
> > > > regards,
> > > >
> > > > Matthew
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> > > > > Sent: 20 April 2011 18:21
> > > > > To: Matthew Fletcher; users_at_subversion.apache.org
> > > > > Subject: Re: Slow initial repo access (https method)
> > > > >
> > > > >
> > > > >
> > > > > On Wed, 20 Apr 2011 14:06 +0100, "Matthew Fletcher"
> > > > > <MFletcher_at_serck-controls.co.uk> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > We are using svn 1.6.16 on the server and have noticed that
> > > > > there is a large pause in the inital https requests, (snip of
> > > > > wireshark shown bellow). Basically it looks like this
> > is a server
> > > > > side issue but i am not sure where to look for logs (apache ?).
> > > > >
> > > > > I'd firstly try to understand what the two packets are
> > on either
> > > > > side of the large pause. So...
> > > > >
> > > > > * A dev who knows the protocol might be able to tell what those
> > > > > packets are without even looking at your data;
> > > > > * You might be able to decrypt the packets you posted;
> > > > > * You might be able to reproduce the problem with non-ssl
> > > > > connections;
> > > > > * You might be able to log the packets before they get
> > > encrypted (or
> > > > > after decrypted).
> > > > >
> > > >
> > > >
> > >
> > **********************************************************************
> > > > Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK A company
> > > > registered in England Reg. No. 4353634
> > > > Tel: +44 (0) 24 7630 5050 Fax: +44 (0) 24 7630 2437
> > > > Web: www.serck-controls.com Admin: post_at_serck-controls.co.uk A
> > > > subsidiary of Schneider Electric.
> > > >
> > >
> > **********************************************************************
> > > > This email and files transmitted with it are confidential
> > > and intended
> > > > solely for the use of the individual or entity to whom they are
> > > > addressed. If you have received this email in error please
> > > notify the
> > > > above. Any views or opinions presented are those of the
> > > author and do
> > > > not necessarily represent those of Serck Controls Ltd.
> > > >
> > > > This message has been scanned for malware by Mailcontrol.
> > > > www.Mailcontrol.com
> > > >
> > >
Received on 2011-04-21 11:25:40 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.