X

Best Practices from Oracle Development's A‑Team

Wrong SSL Handshake Behavior for each WebCenter Request, When Terminating SSL at OHS

Lyudmil Pelov
Architect

Introduction

During performance tuning it was noticed that SSL Handshake was taking place for each static request. Further investigation revealed that the problem was due to OHS SSL configuration, which unfortunately by default is wrongly included when OHS was installed.

Main Article

During performance tuning A-Team identified that in same cases SSL handshake was required for each resource loaded from WebCenter Portal. Unfortunately using browsers like Firefox or Chrome with Firebug or network monitoring tools did not give any clue where the problem could potentially be. Following diagram represents the monitored behavior:

 

ohs_ssl_handshake

The diagram above clearly shows that the portal login page was loading fairly fast the most time was spend on the DNS lookup and the SSL handshake. The main problem from the diagram, were SSL handshakes (the red lines) on each request, which should not be the case. The potential reason for that problem could be, if the connection was closed or not kept alive, which would force new SSL handshake on each request. This behavior was usually observed with IE or monitoring tools using IE Agent. The core cause of the issue was due to wrong OHS SSL configuration. If you looks inside the OHS configuration, and open the ssl.conf file, there were following lines:

DO NOT USE THIS!
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

This configuration matches all Internet Explorer agents and prevent the keep alive, which could be also the behavior if your monitoring tool uses MSIE agent. The main reason to forced IE browsers to not use keep alive was, due to older (lower the IE 6) IE browsers which sometimes encountered connection failures, when interacting with HTTPS server where keep-alive is used.

The solution here, considering that today there is possibly no user using IE browser version older then IE6, to remove the above configuration or make sure that the browser match excludes only IE browsers versions older the IE6.

For more information: http://blogs.msdn.com/b/ieinternals/archive/2011/03/26/https-and-connection-close-is-your-apache-modssl-server-configuration-set-to-slow.aspx

 Internal Oracle Support Doc ID 1662733.1

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content