EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HTTPS on Compact Framework (CE 5/6) - VERY SLOW

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#32201
Posted: 02/16/2015 06:21:01
by Jean Philippe (Basic support level)
Joined: 05/15/2014
Posts: 10

Dear Support,

I tested the sample HTTPS server on our embedded windows CE 5 (and 6).
I succeeded to view a web page but it takes about 30 seconds to negotiate the certicates.

I'm using the test certiface 'cert.pem'.

When running the same application on computer, it works much better of course.

Did you test your library on CF 2.0? As it is now, it won't be usable at all.
I tested also on a very recent device (more powerfull prototype), and I went from 30 seconds to 25... still very slow.

Thank you,
Best regards,

Jean-Philippe



Here is the relevant source code :

Code
var m_certStorage = new TElMemoryCertStorage();

          
            try
            {
                byte[] buff = null;
                FileStream fs = new FileStream("cert.pem", FileMode.Open, FileAccess.Read);
                BinaryReader br = new BinaryReader(fs);
                long numBytes = new FileInfo("cert.pem").Length;
                buff = br.ReadBytes((int)numBytes);

                TElX509Certificate Cert = new TElX509Certificate();
                //if (Cert.LoadFromFileAuto("\\cert.pem", "test") != 0)
                if (Cert.LoadFromBufferPEM(buff, "test") != 0)
                {
                    System.Console.WriteLine("Can not load certificate!");
                }
                else
                {
                    m_certStorage.Clear();
                    m_certStorage.Add(Cert, true);
                }
            }
            catch (Exception Ex)
            {
                Console.WriteLine(Ex.Message);
            }
            var m_serverThread = new ServerThread(444, true, m_certStorage, "\\");


            while(true)
            {
                
                Thread.Sleep(100);
            }
#32202
Posted: 02/16/2015 06:34:30
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should a few thing to speed up the process:

1) Turn off slow ciphersuites and leave only fast ones. This can be done using TElHTTPSServer.GetControl.CipherSuites property. Those that are based on AES cipher are usualy faster than others.

2) Turn on SSL sessions resumption: https://www.eldos.com/documentation/sb...esume.html
#32207
Posted: 02/16/2015 08:07:39
by Jean Philippe (Basic support level)
Joined: 05/15/2014
Posts: 10

Thank you for your answer.

I did test by adding the following :


for (short i = 0; i < 107; i++)
{
httpsServ.GetControl().SetCipherSuite(i, false);
}
m_httpsServ.GetControl().SetCipherSuite(12, true);

m_httpsServ.SSLExtensions.StatelessTLS = true;


But the gain is only 2-3 seconds.

Any other idea ? Could this be a socket management related issue? For having implemented CF socket applications, I know there are some work around to avoid bugs ... Did you test it on a real device or only in emulation ?

Thgank you,
Best regards,

Jean-Philippe
#32209
Posted: 02/16/2015 09:23:38
by Eugene Mayevski (EldoS Corp.)

The key exchange is a complex procedure when it comes to certificate validation. It would help us a lot if you could modify the code so that is doesn't validate the certificate but just set Validate = true in OnCertificateValidate certificate handler and measure speed on your device.

To answer your questions - yes, we did test the implementation on actual devices (Windows Mobile 6.5 phones) and we had satisfactory performance (2-3 seconds for the complete connection).


Sincerely yours
Eugene Mayevski
#32210
Posted: 02/16/2015 09:34:04
by Jean Philippe (Basic support level)
Joined: 05/15/2014
Posts: 10

Thank you. I added the event, but when I add a breakpoint in the event, it does not trigger. I don't understand ...

m_httpsServ = new SBHTTPSServer.TElHTTPSServer();

m_httpsServ.SSLMode = sslMode;
m_httpsServ.CertStorage = certStorage;

m_httpsServ.OnSend += new TSBSendEvent(DoSend);
m_httpsServ.OnReceive += new TSBReceiveEvent(DoReceive);
m_httpsServ.OnOpenConnection += new TSBOpenConnectionEvent(DoOpenConnection);
m_httpsServ.OnCloseConnection += new TSBCloseConnectionEvent(DoCloseConnection);
m_httpsServ.OnSSLError += new TSBErrorEvent(DoError);
m_httpsServ.OnRequestHeadersReceived += new TSBHTTPRequestHeadersEvent(DoRequestHeadersReceived);
m_httpsServ.OnRequestBodyReceived += new TSBHTTPRequestBodyEvent(DoRequestBodyReceived);
m_httpsServ.OnData += new TSBDataEvent(m_httpsServ_OnData);
m_httpsServ.OnBeforeWebSocketServerUsed += new TSBHTTPBeforeWebSocketServerUsedEvent(DoBeforeWebSocketServerUsed);
m_httpsServ.OnWebSocketConnectionEstablished += new TSBHTTPWebSocketConnectionEstablishedEvent(DoWebSocketConnectionEstablished);
m_httpsServ.OnCertificateValidate += new TSBCertificateValidateEvent(m_httpsServ_OnCertificateValidate);

for (short i = 0; i < 107; i++)
{
m_httpsServ.GetControl().SetCipherSuite(i, false);
}
m_httpsServ.GetControl().SetCipherSuite(12, true);

m_httpsServ.SSLExtensions.StatelessTLS = true;

Console.WriteLine(System.DateTime.Now + " : open()");
m_httpsServ.Open();
Console.WriteLine(System.DateTime.Now + " : opened");

}

void m_httpsServ_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
{
Validate = true;
}
#32212
Posted: 02/16/2015 09:49:55
by Ken Ivanov (EldoS Corp.)

Hi Jean-Philippe,

Another thing that should be taken into account is that the server requires an ephemeral DH key pair for certain cipher suites ("DHE" ones). For each server-side environment this key pair is generated on demand when the first DHE session is established. This key pair is then re-used for each subsequent DHE sessions.

As a result, the very first connection made to your server might take a while due to a need to generate the key pair. The subsequent connections should go much faster though.

Cheers,

Ken
#32213
Posted: 02/16/2015 09:52:46
by Ken Ivanov (EldoS Corp.)

And, by the way, you do not need this:

Code
m_httpsServ.SSLExtensions.StatelessTLS = true;


StatelessTLS is something that should only be used in specific environments where client and server agree on using this feature. If your TLS clients are not prepared for using it (and the majority of the out-of-the-box clients are not), the server will be unable to use it alone.

Ken
#32214
Posted: 02/16/2015 09:58:24
by Ken Ivanov (EldoS Corp.)

Quote
Thank you. I added the event, but when I add a breakpoint in the event, it does not trigger. I don't understand ...

That's fine, this event is not triggered if you do not use client authentication (SSLClientAuthentication is false or SSLAuthenticationLevel is set to alRequestCert and not alRequireCert).

So, summarizing, could you please try to make two or three consequent connection attempts to your CF server (without closing the app) and check if the second and/or third ones are established faster?

Ken
#32215
Posted: 02/16/2015 09:58:52
by Jean Philippe (Basic support level)
Joined: 05/15/2014
Posts: 10

Dear Ken,

I added it following advice of Vsevolod Ievgiienko (#32202)
2) Turn on SSL sessions resumption: https://www.eldos.com/documentation/sb...esume.html

I don't see difference by adding / removing it.

Thx,
JP
#32216
Posted: 02/16/2015 10:13:11
by Ken Ivanov (EldoS Corp.)

Session resumption facility is primarily about attaching a TElSessionPool object rather than setting StatelessTLS to true. So creating a session pool object and attaching it to the SessionPool property of the server will do.

Have you had any luck with the second and third connection in a row?

Ken
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1524 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!