IZ01306: SSL handshake delay difference between TAMeb4.1 & TAMeb6.0

APAR status

Closed as Permanent restriction.

Error description

Customer is seeing a performance degradation in test environment
when comparing TAM6.0 & TAM4.1. Both the 4.1 and 6.0
environments are running on the same hardware, same operating
system(AIX 5.3), maintenance level (5300-05-04) and are being
tested by the same client.

In the 6.0 SSL handshake there is a gap between the server
sending the 'change cipher sec' (indicating that client and
server have agreed on the cipher to be used) and the Encrypted
Handshake message.

With 4.1, the Encrypted Handshake Message from WebSEAL
immediately follows the Change Cipher Spec message, without
waiting for an ACK from the client. This is shown as follows -


No.     Time            Source                Source port
Destination           Destination port Protocol Info
  1952 03:17:29.751925 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[SYN] Seq=0 Len=0 MSS=1460
  1953 03:17:29.751983 10.136.150.78         https
10.136.150.20         13180            TCP      https > 13180
[SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
  1954 03:17:29.752174 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[ACK] Seq=1 Ack=1 Win=17520 Len=0
  1955 03:17:29.752388 10.136.150.20         13180
10.136.150.78         https            SSLv2    Client Hello
  1956 03:17:29.752631 10.136.150.78         https
10.136.150.20         13180            TCP      [TCP segment of
a reassembled PDU]
  1957 03:17:29.752661 10.136.150.78         https
10.136.150.20         13180            SSLv3    Server Hello,
Certificate, Server Hello Done
  1958 03:17:29.753258 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[ACK] Seq=70 Ack=2715 Win=17520 Len=0
   1959 03:17:29.754534 10.136.150.20         13180
10.136.150.78         https            SSLv3    Client Key
Exchange, Change Cipher Spec, Encrypted Handshake Message
  1960 03:17:29.759318 10.136.150.78         https
10.136.150.20         13180            SSLv3    Change Cipher
Spec
  1961 03:17:29.759871 10.136.150.78         https
10.136.150.20         13180            SSLv3    Encrypted
Handshake Message
  1962 03:17:29.760054 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[ACK] Seq=278 Ack=2786 Win=17449 Len=0
  1963 03:17:29.760279 10.136.150.20         13180
10.136.150.78         https            SSLv3    Application Data
  1964 03:17:29.763533 10.136.150.78         https
10.136.150.20         13180            SSLv3    Application Data
  1965 03:17:29.763691 10.136.150.78         https
10.136.150.20         13180            TCP      https > 13180
[FIN, ACK] Seq=3360 Ack=516 Win=65535 Len=0
  1966 03:17:29.763880 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[ACK] Seq=516 Ack=3361 Win=16875 Len=0
   1967 03:17:29.764237 10.136.150.20         13180
10.136.150.78         https            TCP      13180 > https
[FIN, ACK] Seq=516 Ack=3361 Win=16875 Len=0
  1968 03:17:29.764250 10.136.150.78         https
10.136.150.20         13180            TCP      https > 13180
[ACK] Seq=3361 Ack=517 Win=65535 Len=0

With 6.0, WebSEAL waits for an ACK to the Change Cipher Spec
message before sending the Encrypted Handshake Message -

No.     Time            Source                Source port
Destination           Destination port Protocol Info
  1811 03:25:12.186456 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[SYN] Seq=0 Len=0 MSS=1460
  1812 03:25:12.186500 10.136.150.78         https
10.136.150.20         20663            TCP      https > 20663
[SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
  1813 03:25:12.186718 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[ACK] Seq=1 Ack=1 Win=17520 Len=0
  1814 03:25:12.186941 10.136.150.20         20663
10.136.150.78         https            SSLv2    Client Hello
  1815 03:25:12.187300 10.136.150.78         https
10.136.150.20         20663            TCP      [TCP segment of
a reassembled PDU]
  1816 03:25:12.187326 10.136.150.78         https
10.136.150.20         20663            SSLv3    Server Hello,
Certificate, Server Hello Done
  1817 03:25:12.187914 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[ACK] Seq=70 Ack=2715 Win=17520 Len=0
   1818 03:25:12.188942 10.136.150.20         20663
10.136.150.78         https            SSLv3    Client Key
Exchange, Change Cipher Spec, Encrypted Handshake Message
  1819 03:25:12.196464 10.136.150.78         https
10.136.150.20         20663            SSLv3    Change Cipher
Spec
  1939 03:25:12.304959 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[ACK] Seq=278 Ack=2721 Win=17514 Len=0
  1940 03:25:12.304974 10.136.150.78         https
10.136.150.20         20663            SSLv3    Encrypted
Handshake Message
  1941 03:25:12.305450 10.136.150.20         20663
10.136.150.78         https            SSLv3    Application Data
  1942 03:25:12.308124 10.136.150.78         https
10.136.150.20         20663            SSLv3    Application Data
  2288 03:25:12.506124 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[ACK] Seq=516 Ack=3419 Win=16816 Len=0
  2532 03:25:13.182976 10.136.150.20         20663
10.136.150.78         https            SSLv3    Encrypted Alert
   2533 03:25:13.183094 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[FIN, ACK] Seq=543 Ack=3419 Win=16816 Len=0
  2534 03:25:13.183118 10.136.150.78         https
10.136.150.20         20663            TCP      https > 20663
[ACK] Seq=3419 Ack=544 Win=65535 Len=0
  2538 03:25:13.183255 10.136.150.78         https
10.136.150.20         20663            SSLv3    Encrypted Alert
  2540 03:25:13.183444 10.136.150.78         https
10.136.150.20         20663            TCP      https > 20663
[FIN, ACK] Seq=3446 Ack=544 Win=65535 Len=0
  2541 03:25:13.183459 10.136.150.20         20663
10.136.150.78         https            TCP      20663 > https
[RST] Seq=544 Len=0

This is adding significant time to the SSL handshake and in turn
the customer's performance tests.

Local fix

[ssl] neg-delay-fix-disable = true hidden setting in Webseal
conf file.

Problem summary

```
 SSL handshake delay from 4.1 to 6.0.
```

Problem conclusion

 By default WebSEAL 6.0 enables Nagle during
the period of SSL handshake possibly resulting in performance de
lays.  A workaround has been documented in IZ01427.

Temporary fix

Comments

APAR Information

APAR number
IZ01306
Reported component name
ACCESS MGR WEBS
Reported component ID
5724C0811
Reported release
600
Status
CLOSED PRS
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-07-11
Closed date
2007-07-13
Last modified date
2007-07-13

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 July 2007

Tips

IZ01306: SSL handshake delay difference between TAMeb4.1 & TAMeb6.0

Subscribe

APAR status

Closed as Permanent restriction.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

Document Information

Share your feedback

Need support?