EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SBB9 + Indy HTTP Server

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 09/11/2011 22:53:30
by Darian Miller (Standard support level)
Joined: 06/27/2011
Posts: 49

I have an existing TidHTTPServer descendant that I added the SBB9 IOHandler to (via TElIndySSLServerIOHandler) utilizing Delphi XE.

One of the clients connecting, a large publically held company with a few-year old API for integrations, is having some sporadic issues with connections either being dropped, or they are taking longer than necessary and they think it's related to size of the HTTP/Post but I can't see this correlation.

I've taken one of their supposed large Posts (about 35k) and with JMeter I have hit my server 1000 times in a minute posting this same content without error or timing issues. (Averages about 500ms but ranges from 300ms to 1.5 sec) I've done this on the production NLB pair of servers and ran it for 5 minutes and performed 6000+ consecutive posts with 20 client threads and had no issues.

However, on their much lower-volume posts, about 1 in 50 posts during the day are slow according to my logs - where they take almost exactly 60 seconds to complete. (The connect and read timeouts are set to 120 seconds and this near-exact 60 second timeout is questionable.)

On these 60-second posts, I get an Indy connected event fired and the OnCommandGet is not fired until ~60 seconds later. On some connections, I get an connected event but nothing else.

Looking at the SSL Established events, it seems most are negotiating cipher suite 4 (RSA_RC4_SHA) and sometimes 12 (RSA_AES_128_SHA) If the server and client aren't changing, shouldn't the handshake result in the same cipher suite selection by both sides every time?

It sounds like there may be some confusion going on with the handshake, but I'm definitely guessing.

The IOHandler setup:

vIOHandler.Versions := [sbSSL3,sbTLS1];
vIOHandler.CipherSuites[i] := False;
vIOHandler.CipherSuitePriorities[i] := 1;

vIOHandler.CipherSuites[SB_SUITE_RSA_3DES_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DHE_RSA_3DES_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DH_RSA_3DES_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_RSA_AES256_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_RSA_RC4_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_RSA_AES128_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DH_DSS_AES256_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DH_RSA_AES128_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DH_RSA_AES256_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DHE_DSS_AES128_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DHE_DSS_AES256_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DHE_RSA_AES128_SHA] := true;
vIOHandler.CipherSuites[SB_SUITE_DHE_RSA_AES256_SHA] := true;

vIOHandler.CipherSuitePriorities[SB_SUITE_RSA_RC4_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_RSA_AES128_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_RSA_AES256_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_DHE_DSS_AES128_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_DHE_DSS_AES256_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_DHE_RSA_AES128_SHA] := 4;
vIOHandler.CipherSuitePriorities[SB_SUITE_DHE_RSA_AES256_SHA] := 4;
vIOHandler.Passthrough := False;
vIOHandler.CompressionAlgorithms[SSL_CA_NONE] := true;
vIOHandler.CompressionAlgorithms[SSL_CA_ZLIB] := false;
vIOHandler.ForceCertificateChain := false;

I'm also setting the Read+Connect Timeouts (120000)

I'm not getting OnCiphersNegotiated fired, which is apparently for renegotiation. The OnError event is not firing either.

Since their API is frozen and likely not going to get anywhere requesting dev support or changes on their end, I'm thinking about reducing the number of ciphers down further. Does this sound reasonable? Which ciphers do you recommend leaving for the best bet for handshake success?

If the handshake failed and the connection dropped, shouldn't the OnError event be fired? Do you have any suggestions for tracking this down further?


Posted: 09/12/2011 03:20:10
by Alexander Ionov (EldoS Corp.)

Moved to Helpdesk, Ticket # 19546

Best regards,
Alexander Ionov
Posted: 09/13/2011 22:30:53
by Darian Miller (Standard support level)
Joined: 06/27/2011
Posts: 49

For future reference...a one-liner fix cured me.



Topic viewed 711 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!