Server Management - Remote Server Management
1748201 Members
2980 Online
108759 Solutions
New Discussion

Re: SSL Certificate for iLO connection time is so long

 
Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

I don't see anything wrong in the network trace. However, I did notice few things that could explain what is happening here.


iLO2 has a limit of 7 simultaneous SSL sessions. Some browsers like to open multiple simultaneous SSL sessions to the target. Apparently, browsers do this in order to download webpages faster.


Also, iLO2 webserver has a 2 minutes timeout for each HTTP/HTTPS session. If no web traffic is seen on one session after 120 seconds, iLO2 will close the socket and free up that SSL session.


If you have something else in that network that is constantly opening SSL connections to your iLOs, your iLOs might not have enough SSL sessions left for you when you use your browser.


Check how many concurrent connections is your IE currently using and try tweaking its values.
http://www.mr2t.com/tweaks-ie-connections

By the way, Chrome is not supported in iLO2.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

Thanks for the answer.
But with selfsigned cert I have no problem - loading is fast. With cert from Internal CA having speed issue after logon...

Checking registry parameters - having default value. have no problem on the other ssl web-pages.

Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

iLO2 self-signed certs come with 1024bit RSA key pairs only.
Doubling the RSA key length means that encryption will be 6-7 times slower. If the imported SSL cert signed by your CA is 2048 bit then, iLO2 is going to take 6-7 times longer to do initial SSL handshakes every time your browser establishes a new SSL session. Since some browsers out there can open up to 6 simultaneous SSL sessions, your iLO2 is going to get really slow, spending most of its time doing nothing but public key encryption computations.

Other SSL webservers have more powerful processors that can handle multiple SSL connections without breaking a sweat. iLO2 is a 8 years product designed at a time when 1024bit RSA was good enough. It has clearly outlived its usefulness.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

I have installed 1024 cert from my CA not a 2048.

Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Then, forget what I said.

 

If you remove that cert (by changing iLO hostname), does iLO become faster?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Interesting.

 

I'm able to reproduce this issue now that I have imported a SSL Cert signed by my company CA.  I'm debugging it right now.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Ok, I found the bug. We are going to fix it in the next iLO2 release.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Hi Maxim,

Could you please test an iLO2 v2.23 that I've uploaded to my temp FTP site?

ftp://ilo4me:G!v3t2me@ftp.usa.hp.com/iLO2



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Hi Maxim,

We fixed your problem in a new iLO2 v2.23 release. It is on the web.

Thanks
Oscar



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!