VERY Slow SSL Connection from Win to Linux

[katz.merav]

Hi,

I have a client application connecting to a server using SSL.
The connection is very very slow.
When I add the server ip to the windows hosts file it connects quickly
but I don't want to rely on users doing this ....
I tried removing all calls to InetAddress.getByName to avoid DNS lookup
but it didn't help.
I found the the bottleneck is the SSLSocketFactory.createSocket call.

Any ideas ???

Thanks.

 

[Gordon Beaton]

I have a client application connecting to a server using SSL. The
connection is very very slow. When I add the server ip to the
windows hosts file it connects quickly but I don't want to rely on
users doing this .... I tried removing all calls to
InetAddress.getByName to avoid DNS lookup but it didn't help. I
found the the bottleneck is the SSLSocketFactory.createSocket call.

Any ideas ???

Yes, don't rely on the users adding anything to their host files, fix
your DNS server instead.

There are probably two (maybe more) places where DNS is used: when the
client connects using a symbolic name, and when the server does a
reverse lookup to determine who the client is.

Use a tool like ethereal to diagnose the problem.

/gordon

 

[katz.merav]

Hi,
thnx for the quick reply.

I'm using Ethereal to monitor the network , and when NOT defining the
server in the "hosts" file - i've notice many NBNS queries (udp,port
137 . netbios-name-service...) .
On the other hand - when i added the server to the "hosts" file, i
didn't see even one query... , so it seems like client's problem , and
not server's problem .

any ideas ?

 

[Gordon Beaton]

I'm using Ethereal to monitor the network , and when NOT defining the
server in the "hosts" file - i've notice many NBNS queries (udp,port
137 . netbios-name-service...) .

On the other hand - when i added the server to the "hosts" file, i
didn't see even one query... , so it seems like client's problem ,
and not server's problem .

any ideas ?

Yes, just one - this hardly seems to be a java programming issue, so
I'd suggest a more appropriate forum (such comp.protocols.misc, or a
windows specific group).

/gordon

 

[katz.merav]

Thanks you very much for your help.
I'll try other forums.

 

[Nigel Wade]

Hi,
thnx for the quick reply.

I'm using Ethereal to monitor the network , and when NOT defining the
server in the "hosts" file - i've notice many NBNS queries (udp,port
137 . netbios-name-service...) .
On the other hand - when i added the server to the "hosts" file, i
didn't see even one query... , so it seems like client's problem , and
not server's problem .

any ideas ?

I think that part of the process of establishing the authenticity of the SSL
server is that the client will check that the server IP matches that of the
hostname in the certificate.

That you client is using netbios-name-service rather than DNS is most likely a
feature of Windows.

 

[Roedy Green]

I'm using Ethereal to monitor the network , and when NOT defining the
server in the "hosts" file - i've notice many NBNS queries (udp,port
137 . netbios-name-service...) .
On the other hand - when i added the server to the "hosts" file, i
didn't see even one query... , so it seems like client's problem , and
not server's problem .

any ideas ?

If it appears the DNS lookup is not being cached, have a look at the
master time to Live of the master domain server for your domain name
to see if you need to put a longer freshness date on it.

You need to know about DNS/BIND to do this. see
http://mindprod.com/jgloss/dns.html

 

[RobertDoidge]

Found a fix.

I realize this is a VERY old thread, but when I do a Google search on "slow java ssl client connections", this thread is one of the most relevant results I find.

The problem above is actually a Java problem related to the WINS Name Service in Windows. Basically, a reverse DNS lookup during the SSL handshake causes a long timeout.

To fix the problem, cache your server address as an InetAddress object and reuse it in the Socket constructor whenever you are making a new connection to your server.

Thanks to Merav for emailing me his solution.

 

[tobbebobbe]

This is stil a problem.

Can verify that this is still a issue on the following setup:
Windows Vista Business SP2
Sun JDK 1.6.0_17

The solution (and problem maker) above is correct. Even if accessing a
SSL-based server with a IP address things slow down.

You can also add the SSL certificate CN (Common Name) and IP address to
the host file on the Windows machine to fix the timeout on the reverse DNS lookup.

//Tobias Höglund

 

[RobertDoidge]

Tobias,

Adding the URL and IP address to your hosts file is another option, but you will need to remember to update the entry if your server address ever changes.

Also, if you're deploying software to client machines, you might want to resist changing the user's system files unless it's absolutely necessary.
Those types of fixes often create more problems, both for you and the user, than the ones they are solving.

-Robert

 

[justkeys]

disable naming servies on windows

1. Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings
   turn off network discovery
   turn off file and printer sharing
2. edit group policy
   compouter configuration / administrative templates / network / DNS client /
   ENABLE "turn off multicast name resolution"
3. Control Panel\Network and Internet\Network Connections
   properties of the lan adapter
   ipv4 properties
   advanced
   WINS
   disable NetBIOS over TCP/IP