|
Home > Archive > IIS Server Security > November 2005 > SSL on IIS6 Performance Problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL on IIS6 Performance Problems
|
|
|
| I have Windows 2003 Server Standard Edition (fully updated) with IIS 6.0
installed on an IBM eSeries single Xeon 2.8Ghz System with 1GB RAM and a
gigabit NIC. All the hard drives are 15K RPM Ultra 320s. We are moving our
website from an old (NT 4.0 w IIS x) to this new system. When SSL is
enabled, logging into the website takes extremely long (measured in minutes)
using windows authentication with the client and server both directly linked
using a gigabit switch (client is gigabit as well and the AD DC is on the
switch too using gigabit). Also, all pages seem to be extremely slow when
navigating in between them (approx. 15 - 20 second load time). The average
page size is approximately 40KB including 2 images and the rest text. Some
pages have SQL 2000 or Access database connections. HTTP compression is
enabled as well as kernel mode for the SSL. Watching the taskmanager during
multiple requests to the server shows hardly any (max of 1%) CPU usage and a
fraction of 1% of the network traffic. Memory utilization doesn't change.
Without SSL, the connection absolutly flies and there is no lag at all. Is
there something I am missing that should be configured? The server is using
a self-signed certificate with 1024 bit length and 128 bit encryption. I
have issued multiple certificates with no change. I have two web sites
setup. One is a default redirect for http requests to https and the other
handles all of the SSL traffic. Any help would be greatly appreciated. We
investigated SSL accelerator cards, but we aren't even beginning to push the
system, so I don't think that is the solution. Any ideas?
Thanks for listening to a long post and all of the details, but I just
wanted to fully convey the situation. If you have any thoughts, no matter
how seemingly silly, please let me know.
John
| |
| David Wang [Msft] 2005-11-11, 2:54 am |
| What happens if you do not use kernel mode SSL in WS03SP1 (and use the
normal one).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"John" <John@discussions.microsoft.com> wrote in message
news:4D25822F-882A-4B55-BCFB-FF20F5B3A649@microsoft.com...
I have Windows 2003 Server Standard Edition (fully updated) with IIS 6.0
installed on an IBM eSeries single Xeon 2.8Ghz System with 1GB RAM and a
gigabit NIC. All the hard drives are 15K RPM Ultra 320s. We are moving our
website from an old (NT 4.0 w IIS x) to this new system. When SSL is
enabled, logging into the website takes extremely long (measured in minutes)
using windows authentication with the client and server both directly linked
using a gigabit switch (client is gigabit as well and the AD DC is on the
switch too using gigabit). Also, all pages seem to be extremely slow when
navigating in between them (approx. 15 - 20 second load time). The average
page size is approximately 40KB including 2 images and the rest text. Some
pages have SQL 2000 or Access database connections. HTTP compression is
enabled as well as kernel mode for the SSL. Watching the taskmanager during
multiple requests to the server shows hardly any (max of 1%) CPU usage and a
fraction of 1% of the network traffic. Memory utilization doesn't change.
Without SSL, the connection absolutly flies and there is no lag at all. Is
there something I am missing that should be configured? The server is using
a self-signed certificate with 1024 bit length and 128 bit encryption. I
have issued multiple certificates with no change. I have two web sites
setup. One is a default redirect for http requests to https and the other
handles all of the SSL traffic. Any help would be greatly appreciated. We
investigated SSL accelerator cards, but we aren't even beginning to push the
system, so I don't think that is the solution. Any ideas?
Thanks for listening to a long post and all of the details, but I just
wanted to fully convey the situation. If you have any thoughts, no matter
how seemingly silly, please let me know.
John
| |
|
| David,
Thank you for your response.
Actually, kernel mode was only enabled after the initial SSL performance was
so slow as an attempt to speed up the process. The same is true for http
compression. Both have had nearly no effect, except that web page
performance without SSL might be a little quicker due to the compression.
Any other tricks I might have missed? All input is appreciated.
John
"David Wang [Msft]" wrote:
> What happens if you do not use kernel mode SSL in WS03SP1 (and use the
> normal one).
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
| |
| David Wang [Msft] 2005-11-12, 8:48 pm |
| I forwarded your question to the SSL Developer, and he indicated that you
should try:
1. SSL Diagnostics -
http://www.microsoft.com/downloads/...&DisplayLang=en
2. Is it slow for HTM file as well as ASP/ASPX files
3. Check your Certificate's CRL and such related certificate verification
checks - maybe one of them is taking 15-20s due to network timeout or error
to perform some operation for every single SSL request involving that
certificate.
All I can say is that our SSL+Integrated Authentication test requests finish
at least an order of magnitude faster than what you are seeing, using
default configuration, so I am suspecting some sort of problem involving
your SSL Certificate or some other verification checks associated with the
certificate..
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"John" <John@discussions.microsoft.com> wrote in message
news:C6AAD6FE-8F0F-4F84-AFE1-3065B0CA7138@microsoft.com...
David,
Thank you for your response.
Actually, kernel mode was only enabled after the initial SSL performance was
so slow as an attempt to speed up the process. The same is true for http
compression. Both have had nearly no effect, except that web page
performance without SSL might be a little quicker due to the compression.
Any other tricks I might have missed? All input is appreciated.
John
"David Wang [Msft]" wrote:
> What happens if you do not use kernel mode SSL in WS03SP1 (and use the
> normal one).
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
| |
|
| David,
I was in the proccess of formulating a response when we randomly decided to
try the site on a few different machines besides the ones we had been using.
All of a sudden, everything was working immediately. I don't know what was
causing the problem with those couple of other machines, but it seems to be
working great now. Thank you again for all of your help and attention. It
was a fairly frustrating matter and you were willing to help address it.
John
"David Wang [Msft]" wrote:
> I forwarded your question to the SSL Developer, and he indicated that you
> should try:
> 1. SSL Diagnostics -
> http://www.microsoft.com/downloads/...&DisplayLang=en
> 2. Is it slow for HTM file as well as ASP/ASPX files
> 3. Check your Certificate's CRL and such related certificate verification
> checks - maybe one of them is taking 15-20s due to network timeout or error
> to perform some operation for every single SSL request involving that
> certificate.
>
> All I can say is that our SSL+Integrated Authentication test requests finish
> at least an order of magnitude faster than what you are seeing, using
> default configuration, so I am suspecting some sort of problem involving
> your SSL Certificate or some other verification checks associated with the
> certificate..
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
|
|
|
|
|