[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Slow initial repo access (https method)

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Thu, 21 Apr 2011 13:04:06 +0300

You may wish to try the users_at_httpd.a.o list too, this is by now more of
an httpd discussion than a mod_dav_svn one.

Matthew Fletcher wrote on Thu, Apr 21, 2011 at 10:55:17 +0100:
> Hi,
>
> Poor description on my part sorry, in my httpd.conf i explicitly turned of hostname lookups. That made no noticeable difference.
>
> I think its mod_ssl/openssl (am using 0.9.8r) just being slow, unfortunately even with apache logs set to "debug" verbosity there is no output on this, so will try and turn on logging within mod_ssl.
>
>
> regards
>
> Matthew J Fletcher
>
>
> > -----Original Message-----
> > From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> > Sent: 21 April 2011 10:25
> > To: Matthew Fletcher
> > Cc: users_at_subversion.apache.org
> > Subject: Re: Slow initial repo access (https method)
> >
> > What do you mean by "accessing the repo via IP address"?
> > Without having read your link, I expect it does a reverse DNS
> > lookup on the client's address (i.e., the IP address of the
> > box where the working copy resides), and just accessing the
> > repository as http://192.87.106.227 instead of
> > http://svn.apache.org won't affect that.
> >
> > The test would be
> > % ssh svn.apache.org time dig -x '$(echo $SSH_CONNECTION |
> > cut -d " " -f 1)'
> >
> > (this assumes you have a sh-like, not csh-like, login shell)
> >
> > Matthew Fletcher wrote on Thu, Apr 21, 2011 at 10:16:29 +0100:
> > > Hi,
> > >
> > > Our IT guys have been quite helpful and checked the DNS
> > setup (and showed it to me), looks fine. A test accessing the
> > repo via IP address gives the same delay.
> > >
> > >
> > > regards
> > >
> > > Matthew J Fletcher | Serck Controls | United Kingdom
> > | Lead Software Engineer
> > > Phone: +44 2476 305050 | Direct Dial: +44 2476 515089
> > > Email: mfletcher_at_serck-controls.co.uk | Site:
> > www.serck-controls.co.uk | Address: Rowley Drive,
> > Coventry, CV3 4FH, United Kingdom
> > >
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Matthew Fletcher
> > > > Sent: 21 April 2011 09:55
> > > > To: 'Daniel Shahaf'; users_at_subversion.apache.org
> > > > Subject: RE: Slow initial repo access (https method)
> > > >
> > > >
> > > > Hi,
> > > >
> > > > Nothing as fancy as LDAP, just a basic file.
> > > >
> > > > AuthType Basic
> > > > AuthBasicProvider file
> > > >
> > > >
> > > > I wonder if it could be due to DNS name lookup issues,
> > > >
> > > > http://old.nabble.com/Using-SSL-between-Apache-proxy-and-Synap
> > > >
> > se-causes-consistent-10-second-delay-in-SSL-handshake-td16014406.htm
> > > > l
> > > >
> > > > "Check if reverse DNS lookups are the same for both
> > production and
> > > > stating/integration. The 10 second delays are usually caused by
> > > > reverse lookups when accepting connections, since we try
> > to get the
> > > > hostname for logging."
> > > >
> > > > I will look into that.
> > > >
> > > >
> > > > regards
> > > >
> > > > Matthew
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> > > > > Sent: 21 April 2011 09:49
> > > > > To: Matthew Fletcher; users_at_subversion.apache.org
> > > > > Subject: RE: Slow initial repo access (https method)
> > > > >
> > > > > The problem may be not openssl but rather your
> > > > authentication backend
> > > > > (as configured in httpd.conf). For example, if you use LDAP
> > > > > authentication and your LDAP server is slow to respond,
> > that could
> > > > > account for some seconds' difference.
> > > > >
> > > > > On Thu, 21 Apr 2011 09:44 +0100, "Matthew Fletcher"
> > > > > <MFletcher_at_serck-controls.co.uk> wrote:
> > > > > >
> > > > > > Thanks for the info, enabling apache logging i can see
> > > > > where the pause is comming from,. its between the inital client
> > > > > connection and granting the access rights to my user.
> > > > > A full 15 seconds ! This is a fast quad core xeon
> > server as well.
> > > > > >
> > > > > > [Thu Apr 21 09:32:30 2011] [info] Connection: Client IP:
> > > > > > 10.141.81.134, Protocol: TLSv1, Cipher:
> > > > DHE-RSA-AES256-SHA (256/256
> > > > > > bits) [Thu Apr 21 09:32:45 2011] [info] [client
> > > > > 10.141.81.134] Access
> > > > > > granted: 'MFletcher' OPTIONS Play:/
> > > > > >
> > > > > > How do i go about finding out why its taking so long to do
> > > > > the inital https / SSL stuff before granting access ? I
> > > > realise this
> > > > > crosses the boundary between SVN/apache/OpenSSL so it might
> > > > be tricky.
> > > > > >
> > > > > >
> > > > > > regards,
> > > > > >
> > > > > > Matthew
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> > > > > > > Sent: 20 April 2011 18:21
> > > > > > > To: Matthew Fletcher; users_at_subversion.apache.org
> > > > > > > Subject: Re: Slow initial repo access (https method)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, 20 Apr 2011 14:06 +0100, "Matthew Fletcher"
> > > > > > > <MFletcher_at_serck-controls.co.uk> wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > We are using svn 1.6.16 on the server and have
> > noticed that
> > > > > > > there is a large pause in the inital https
> > requests, (snip of
> > > > > > > wireshark shown bellow). Basically it looks like this
> > > > is a server
> > > > > > > side issue but i am not sure where to look for logs
> > (apache ?).
> > > > > > >
> > > > > > > I'd firstly try to understand what the two packets are
> > > > on either
> > > > > > > side of the large pause. So...
> > > > > > >
> > > > > > > * A dev who knows the protocol might be able to tell what
> > > > > > > those packets are without even looking at your data;
> > > > > > > * You might be able to decrypt the packets you posted;
> > > > > > > * You might be able to reproduce the problem with non-ssl
> > > > > > > connections;
> > > > > > > * You might be able to log the packets before they get
> > > > > encrypted (or
> > > > > > > after decrypted).
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > ********************************************************************
> > > > **
> > > > > > Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK A
> > > > > > company registered in England Reg. No. 4353634
> > > > > > Tel: +44 (0) 24 7630 5050 Fax: +44 (0) 24 7630 2437
> > > > > > Web: www.serck-controls.com Admin:
> > post_at_serck-controls.co.uk A
> > > > > > subsidiary of Schneider Electric.
> > > > > >
> > > > >
> > > >
> > ********************************************************************
> > > > **
> > > > > > This email and files transmitted with it are confidential
> > > > > and intended
> > > > > > solely for the use of the individual or entity to
> > whom they are
> > > > > > addressed. If you have received this email in error please
> > > > > notify the
> > > > > > above. Any views or opinions presented are those of the
> > > > > author and do
> > > > > > not necessarily represent those of Serck Controls Ltd.
> > > > > >
> > > > > > This message has been scanned for malware by Mailcontrol.
> > > > > > www.Mailcontrol.com
> > > > > >
> > > > >
> >
Received on 2011-04-21 12:05:15 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.