none
Optimized SSL-handshake possible with WCF? RRS feed

  • Question

  • When calling WCF-Services that are protected by SSL, each service-call runs an entire SSL handshake (monitored with Wireshark).
    The result of a SSL handshake is a sessionkey that is used for the symmetric encryption/decryption.
    The entire handshake consists of several steps and each step needs additional time.

    There exist possibilities to reduce the number of these handshake-steps (RFC 5246, RFC4507, RFC 5077,..) which implement different mechanisms to reuse session-tickets after a first successfull handshake.

    Does anyone know how these speed-optimized, abbreviated SSL-handshakes can be activated in WCF?

    We use C# (.NET 461) with net.tcp-transport and self-hosted services.







    • Edited by Rodscher Tuesday, March 7, 2017 1:27 PM
    Tuesday, March 7, 2017 10:17 AM

All replies

  • Hi Rodscher,

    How slow did you use WCF with SSL? If you disable SSL, how fast will it be?

    I suggest you try reliableSession see whether it will help. In my option, we could not custom the SSL-handshakes steps.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 8, 2017 2:07 AM
  • Hi Edward

    Please forgive me my late answer but I'm back to office since yesterday.

    Her are some results (connection from my local PC over the internet to our hoster).
    The messages are mirrored on the server (no database,.... influence):

    Messagesize

    Avg Responsetime without SSL [ms]

    Avg Responsetime with SSL [ms]

    Difference [ms]

    with/without SSL

    1000 Bytes

    48

    112

    64

    233%

    2000 Bytes

    50

    118

    68

    237%

    4000 Bytes

    57

    117

    60

    204%

    8000 Bytes

    68

    137

    68

    200%

    16‘000 Bytes

    80

    149

    69

    186%

    32‘000 Bytes

    102

    166

    64

    163%

    64‘000 Bytes

    129

    188

    60

    146%

    128‘000 Bytes

    167

    257

    90

    154%

     

    I've seen that an accelerated SSL-handshake is possible in an IIS-hosted web-application on that server with https. The reduced number of SSL-handshake steps  accelerates https considerably. So' the server operating system (or IIS) is able to accelerate SSL.

    I'd like the same SSL-handshake speedup with the net.tcp-protocol in WCF very much.

    My collegue  had a look at the "reliable session" feature.
    Reliable session adds mechanisms against message loss. We'd like to have a speedup , not adding protocol steps. We have no problems because of lost messages.
    Additionally, "reliable session" adds heuristics which may cause message re-transmits. These heuristics were counterproductive when message sizes vary a lot. 

    Please tell me if I'm wrong.

    Best regards
    Roger




    • Edited by Rodscher Tuesday, March 21, 2017 7:59 AM
    Tuesday, March 21, 2017 6:29 AM
  • I think we could not reduce the cost of an initial handshake. I would suggest you try to make WCF connections open, and enable KeepAlive which will make TCP connection be reused automatically.

    I suggest you refer the link below for more information.

    #How can I optimize SSL session so I can reuse it later (if needed) to improve Client Server performance

    http://stackoverflow.com/questions/5332835/how-can-i-optimize-ssl-session-so-i-can-reuse-it-later-if-needed-to-improve-cl


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 22, 2017 7:24 AM
  • Hi Edward

    Thank you very much for your proposition which looked very interesting at first sight.

    You suggested to activate the ServicePointManager.SetTcpKeepAlive(...).

    As far as I can see, the ServicePointManager manages the collection of ServicePoints-Objects (https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager(v=vs.110).aspx )

     A ServicePoint provides connection management for HTTP(S) connections.
    (https://msdn.microsoft.com/en-us/library/system.net.servicepoint(v=vs.110).aspx)
    Because of performance, reasons, we are not using HTTP(S) but net.tcp.

    Nevertheless, I wrote a small testprogram and really, there was no effect in the number of SSL-handshake steps in two succeding WCF-service calls.

    I tried setting  SetTcpKeepAlive :
    - before starting the first servicecall.
    - in the Certificate Validate(..)-callback
    - by setting it on an explicit ServicePoint() by using the FindServicePoint(URI)

    Still seeking for a solution.
    Any idea is appreciated very much.

    Best regards
    Roger


    Thursday, March 23, 2017 12:48 PM
  • Have you enabled HTTP Keep-Alives in IIS? In my option, the SSL-handshake steps would not reduce, but the reset calls will reuse the connection which will make the request time reduce.

    Do you mean the time for sub-request did not change?


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, March 24, 2017 5:28 AM
  • Hi Edward

    We use TLS over net.tcp and not TLS over https.
    The servicehost is a self-hosted Windows-Service :  The WCF-services are not hosted in IIS.
    Therefore I was not able to activate the SetTcpKeepAlive neither in TCP nor in IIS

    Watching the Network traffic with WireShark, the tcp-session-establishment and the the SSL-handshake steps remain unchanged.

    Friday, March 24, 2017 3:26 PM
  • Thanks for more information.

    As far as I know, there is no settings in WCF to reduce the handshake-steps. handshaking is an automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins.

    I would suggest you try to host in IIS to check whether it will be helpful for performance. 


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, March 27, 2017 5:10 AM