Slow SSL connection

Forums › New Zealand Broadband › Slow SSL connection

tr3v

234 posts

Master Geek

#15230 10-Aug-2007 16:15

I have always had a slow connection to my webmail (hosted at home) when I am outside of my home LAN. HTTP is fine, but HTTPS connections are slow. Slow to connect and unreliable. I have no problem making an SSL connection internally, so I suspect my router. I have a Dick Smith XH1175 ADSL Modem/Router (~2-3 years old). It it likely that the router could be the problem here?

Assuming it is, is there anything I can do to the router config to improve performance? It has several settings for checking for IP spoofing and DoS attacks etc.

Cheers

PS. My ISP is xtra.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#81931 10-Aug-2007 17:16

Is the SSL certificate valid?

tr3v

234 posts

Master Geek

#81945 10-Aug-2007 18:56

Yes, I *think* so. I mean, the host name on my cert matches my published IP address. I do not get any warnings when trying to connect from the outside, but now that you mention it, my "internal" domain is different to the what is published, which makes me think some more.....

....so it may be nothing to do with my router but the local network configuration: Windows 2000 Server, Active Directory / internal DNS versus external. Uh oh.

muppet

2568 posts

Uber Geek

Trusted

#81955 10-Aug-2007 19:56

As I understand it, a valid certificate won't make the slightest difference, unless you have a router that has code that says "if certificate invalid, go slow" which I very much doubt! Having said that, I know nothing about how Windows deals with SSL certificaties and session handling, so freitasm could well be right.

You best bet would be to install WireShark on the PC with the problem and watch the TCP stream as you make an outside connection.

Check to see if there's a lot of TCP Retransmits, or fragmentation problems.

I have see issues before with routers doing IP Spoof/fragmentation checking that have the problem you're describing, the problem only manifests itself when accessing services via the WAN (ADSL) port. That being said, I'd expect you'd also see issues with port 80 traffic.

Other things to do to try and narrow down the problem:

Get your HTTPS daemon listening on another port as well as 443 (example 448), see if browsing to https://your.site:448/webmail shows the same problem.
Get another HTTPS server up and running (shutdown your current one) and see if you have the same problem. I recomment LightHTTPD
Last resort: A large hammer.

barf

643 posts

Ultimate Geek

#81960 10-Aug-2007 22:07

could be a DNS timeout, if your LAN's DNS server is required to resolve some names sent by your webmail client. (?)

Sniffing the glue holding the Internet together

tr3v

234 posts

Master Geek

#81981 11-Aug-2007 11:29

barf: could be a DNS timeout, if your LAN's DNS server is required to resolve some names sent by your webmail client. (?)

Thanks - DNS looks OK, and the connection is fine on the LAN. I don't think the server would make any different queries if I was connecting from the outside.

tr3v

234 posts

Master Geek

#81984 11-Aug-2007 11:37

muppet: You best bet would be to install WireShark on the PC with the problem and watch the TCP stream as you make an outside connection.

Many thanks for the WireShark link - great! The first thing I have noticed is lots of "Ignored Unknown Record" packets. This appears to be because the header checksum is incorrect:
[Checksum: 0x1670 [incorrect, should be 0x8657 (maybe caused by "TCP checksum offload"?)]
Any idea what would be causing this? What is a "TCP checksum offload"?

tr3v

234 posts

Master Geek

#81986 11-Aug-2007 11:52

What is a "TCP checksum offload"?

Answering my own question, I see that this is probably not an error... it just means that the NIC is doing the checksum calc.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

barf

643 posts

Ultimate Geek

#82081 12-Aug-2007 12:47

images are not cached in HTTP/SSL connections either, keep that in mind

Sniffing the glue holding the Internet together

tr3v

234 posts

Master Geek

#82084 12-Aug-2007 13:04

Thanks, there is not a lot of content to download though so I don't think it is an issue.

I am told that it is working much quicker now that I have disabled ALL of the firewall features on the router (except port filtering): IP spoof checking, ping of death, SYN flooding etc etc

I will do my own check tomorrow from the "outside", to verify, then start turning on the router checks one by one. I thought of bridging the router directly to a better firewall, but the manual says that I can't do this with Telecom ADSL for some reason.

barf

643 posts

Ultimate Geek

#82089 12-Aug-2007 14:17

AHA! but you can! the XH1175's support PPP half bridge (actualy 'bridge' mode is something different) FYI dynalink RTA1320's call this 'IP extension' mode, older d-link firmwares (the VxWorks -based) supported this and called it zipb

what this does is change the DHCP server on the router to provide the Internet IP to a DHCP client on the LAN, and route the traffic to that PC. please note, only one DHCP client can be connected to the router in this fashion and this disables NAT on your router, so you'll need to use Windows' ICS or a proper firewall/NAT router connected to the XH1175 if you plan on sharing the Internet on your LAN. Essentially this replicates the situation cable-modem experience by having a modem without router.

might be worth a try. the NAT code in the XH1175's is good but not great.

Sniffing the glue holding the Internet together

tr3v

234 posts

Master Geek

#82098 12-Aug-2007 17:03

the XH1175's support PPP half bridge (actualy 'bridge' mode is something different) FYI dynalink RTA1320's call this 'IP extension' mode, older d-link firmwares (the VxWorks -based) supported this and called it zipb

Thanks again, I will give this a try tonight. I think I understand, except... how will I access the router if it is half bridge mode? Currently it is allocated an IP address on my LAN, but once it is connected to my firewall it will no longer be reachable? I will do a bit of research. I have another hardware router that I can use for a firewall (linksys BEFSX41 - no telecom ADSL).

tr3v

234 posts

Master Geek

#82139 12-Aug-2007 21:19

An update: I have checked from the outside and all is working beautifully (have NOT tried half bridge yet). I have also discovered that it was the "IP Spoofing Check" that was causing HTTPS to run so slowly. I have no idea why, but am just pleased to have fixed it. For the record, the XH1175 firmware/software are CX82xxx_4.1.0.21 and 210205_REL10_v2_beta respectively.

Many thanks for the replies and the introduction to "WireShark".