如何优化 SSL 会话,以便稍后(如果需要)重用它以提高客户端服务器性能

发布于 2024-10-23 16:05:42 字数 559 浏览 4 评论 0原文

我有一台在 Windows Azure 上运行的服务器 这里有一个大密钥(链接旨在演示 SSL 证书中的大密钥)。基于此 Security.SE 对话 从 CPU 的角度来看,较大的密钥设置和拆除的成本会更高。

假设我使用 .NET 客户端和 .NET 服务器;我应该进行哪些更改(如果有)来减少连接/断开 SSL 透视图的开销。

出于本次对话的目的,让我们包括以下场景(如果您能想到,请添加更多场景)

  • Web 浏览器到 IIS
  • WCF 客户端到 WCF 服务器 (IIS)
  • WCF 客户端到 WCF TCP
  • 基于套接字的客户端到基于套接字的服务器

I have a server running on Windows Azure here with a large key (link is intended to demonstrate large key in SSL cert). Based on this Security.SE conversation the larger key will be more expensive to setup and tear down from a CPU perspective.

Assuming I'm using a .NET client and a .NET server; what changes should I make (if any) to reduce the overhead of connecting / disconnecting an SSL perspective.

For the purpose of this conversation let's include these scenarios (add more if you can think of them)

  • WebBrowser to IIS
  • WCF client to WCF Server (IIS)
  • WCF client to WCF TCP
  • Sockets-based client to Sockets-based server

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

哥,最终变帅啦 2024-10-30 16:05:42

初始握手的成本基本上是固定的(给定某些参数)。恢复握手的成本大约为零。

提高性能的方法是增加恢复会话的会话数量,而不是初始会话的数量。这可以将初始握手的成本摊销到恢复的握手中,从而降低平均握手成本。

提高恢复握手率的最简单方法是设置更大的会话缓存大小/超时。当然,拥有较大的会话缓存可能会产生其自身的性能问题。人们需要在两者之间找到一个良好的平衡,而最好的方法就是进行测试。

The cost of an initial handshake is basically fixed (given certain parameters). The cost of a resumed handshake is approximately zero.

The way to improve performance is to increase the amount of sessions that are resumed sessions, and not initial sessions. This amortizes the cost of the initial handshake across the resumed handshakes, reducing the average handshake cost.

The easiest way to increase the resumed handshake rate is to have a larger session cache size/timeout. Of course, having a large session cache can create its own performance issues. One needs to find a good balance between these two, and the best way to do that is with testing.

-小熊_ 2024-10-30 16:05:42

如果应用程序要保持 WCF 连接打开,则启用 KeepAlive 可能有意义(默认情况下禁用)。

当keep-alive开关打开时,TCP连接将自动重用。对于“ServicePoint Manager”,您可以使用SetTcpKeepAlive 方法来打开TCP 连接的保持活动选项。请参阅以下 MSDN 文章:

ServicePointManager.SetTcpKeepAlive 方法
http://msdn.microsoft.com/en- us/library/system.net.servicepointmanager.settcpkeepalive.aspx

来自微软:

一般来说,普通HTTP和HTTPS从性能角度来说,区别在于TCP连接的握手方式。 HTTPS 握手所需的时间比 HTTP 更长。然而,在 TCP 连接建立后,它们的区别非常微不足道,因为在此连接中将使用分组密码。 “非常高位”证书和普通证书之间的区别更加微不足道。我们处理过很多性能低下的案例,但很少有因为证书过强而导致性能低下的案例,主要表现为网络拥塞、CPU利用率高、ViewState数据占用过大等性能缓慢。

从 IIS 的角度来看,请注意,在 IIS 管理器中,默认情况下会为网站选中一个选项,即“启用 HTTP Keep-Alives”。此选项可确保 IIS 和客户端浏览器对于某些 HTTP 请求保持 TCP 连接处于活动状态一段时间。也就是说,对于IIS服务器和客户端之间的往返,只有第一个请求会明显慢于其他请求,而其余的则不会。

在此处输入图像描述

关于此设置,您可以参考以下文章:
http: //www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d7e13ea5-4350-497e-ba34-b25c0e9efd68.mspx?mfr=true

当然,我知道对于WCF来说,IIS不是必须的托管许多场景的应用程序,但在这一点上,我认为它们的工作原理类似。

If the application is made to keep the WCF connections open, it may make sense to enable KeepAlive (it's disabled by default).

The TCP connection will be reused automatically when the keep-alive switch is turned on. For the ‘ServicePoint Manager, you can use theSetTcpKeepAlive method to turn on the keep-alive option for a TCP connection. Refer to the following MSDN article:

ServicePointManager.SetTcpKeepAlive Method
http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.settcpkeepalive.aspx

From Microsoft:

Generally the difference, in the perspective of performance, between common HTTP and HTTPS lies in the handshake of a TCP connection. It takes longer time for an HTTPS handshake, than HTTP. However, after the TCP connection is established, their difference is very trivial as a block cipher will be used in this connection. And the difference between a ‘very high bit’ cert and a common cert is more trivial. We’ve dealt with a lot of slow performance cases, but we seldom haves cases whose slow-performance problem is caused by more stronger cert, as the network congestion, the CPU high utilization, a large portion of ViewState data etc. are main characters of slow performance.

In the perspective of IIS, notice that in the IIS manager, there will be an option checked by default for a website, as ‘Enable HTTP Keep-Alives’. This option ensures that the IIS and the client browser would keep the TCP connection alive for a time for certain HTTP requests. That is to say, for round-trips between an IIS server and the client, only the first request will be obviously slower than others, while the rest won’t.

enter image description here

You can refer to following article about this setting:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d7e13ea5-4350-497e-ba34-b25c0e9efd68.mspx?mfr=true

Of course, I know for WCF, IIS is not a must to host applications for many scenarios, but on this point, I think they work similarly.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文