errors in SSL_connect() & session caching overload

Wed, 18 Oct 2000 13:06:47 -0700 

Hello all.
First, thanks to everyone who has helped me with any feedback on my
previous problems.

I seem to be pretty much over the major hurdles at this point, but I
need to verify the cause of some SSL errors showing up under (very)
heavy load.

Here they are:

error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
and
error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal
parameter

I am also getting unexpected EOF (SSL_ERROR_SYSCALL and SSL_connect
returns 0).  How does this occur?

I am inclined to believe that they are the result of errors in the
underlying sockets, but I have seen no verification of this.  Can anyone
give me a definitive description of the cause so I can either document
it as a network issue or fix my code?


Just in case anyone is interested, I have come across a problem with the
SSL session caching.  Under heavy load, my app would dump core,
sometimes the core exceeded 300MB (though a good part of this was memory
allocated for application functionality).  The problem disappeared when
I turned off  client side session caching.  I finally found in the old
SSLeay.txt file a description of the session caching issues.  Look for
session.doc in the file.
According to EAY (or whoever actually wrote the doc), teh session cache
is flushed every 255 successful calls to SSL_connect().  He also says
'Please note that this could be expensive on a heavily loaded SL server,
in which case, turn this off and clear the cache of old entries
manually'.
I suspect that the session caching is not designed to handle a large
number of cached client connections.  I don't know if this is a memory
leak or not, but I do know that before I can use client side caching to
any large degree, I will have to develop a means of monitoring and
flushing the cache manually.
If anyone has experience with this, a quick rundown would be greatly
appreciated.

Thanks
Lou
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to