To: cygwin AT cygwin DOT com
Subject: SSH/SSL VPN authentication slow with Cygwin
From: Aaron DOT Larson AT Honeywell DOT com (Larson, Aaron)
Date: Mon, 18 May 2009 17:18:24 -0500
Message-ID: <uws8e12dr.fsf@sslp-nayak.cas.honeywell.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

Actually, I'm not exactly sure what is happening, but the subject is
my best guess.  I'm a telecommuter and must use a VPN to connect to my
work network.  Once VPN'd I need to access an extranet site that uses
HTTPS for several things, including SVN.

When connected to the VPN, using svn or wget to HTTPS addresses is
*very* slow, but it doesn't appear to be transfer speeds, but rather
something to do with connection termination.  When outside the VPN,
there is no performance issue.  More interestingly, when we use the
Collabnet svn client and the gnuwin32 wget client, there is also no
performance problem.  The wget is the same version on Cygwin and
gnuwin32.  We had been using a three year old Cygwin so I attributed
the problem to that, but I just tried (today) the latest Cygwin and
the problem is still present.

Further interesting, the file that is being transferred appears on the
local file system (with full contents) nearly immediately.  After the
transfer, it takes wget a long time to exit (minutes).  SVN
performance is similarly affected (a checkout in the VPN may take 30
minutes, vs 4 seconds outside the VPN or with the collabnet client).

Note that in the output below, the wget in the VPN takes 4m 20ish
seconds.  The three year old cygwin it takes 2m and 1 or two seconds.
The time delay is very consistent on both.

I'm not a TCP or SSL expert, but the only thing I saw that looked
different between the VPN'd and non-VPN'd wireshark captures is that
my VPN'd cygwin/windows box sent 5 "[TCP Retransmission] Encrypted
Alert" packets after the first Encrypted alert (approximately 2, 4,
8, 16, and 32 seconds apart).  The Cygwin client appears to wait for
the last retransmission, whereas the GNU Win32 client does not.  When
not VPN'd, there are no retransmitted Encrypted alert packets.  

We also see long connect times when using SSH to the same host through
our VPN, but I have not investigated that as throughly.  Perhaps there
is an underlying SSL library that is causing this?


$ time wget --user=$MyUser --password=$MyPassword https://deos.ddci.com/bugzilla/page.cgi?id=fields.html  --no-check-certificate --no-proxy -S
WARNING: cannot verify deos.ddci.com's certificate, issued by `/O=VeriSign Trust
 Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.
verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign':
  Unable to locally verify the issuer's authority.
WARNING: cannot verify deos.ddci.com's certificate, issued by `/O=VeriSign Trust
 Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.
verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign':
  Unable to locally verify the issuer's authority.
2009-05-18 15:20:54 URL:https://deos.ddci.com/bugzilla/page.cgi?id=fields.html [
27147] -> "page DOT cgi AT id=fields.html.3" [1]

real    4m27.740s
user    0m0.093s
sys     0m0.015s

$ wget --version
GNU Wget 1.11.4

Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic AT xemacs DOT org>.
Currently maintained by Micah Cowan <micah AT cowan DOT name>.

--------------------------------------------------------------------------------
This is the GNU

$ time ./wget --user=$MyUser --password=$MyPassword https://deos.ddci.com/bugzilla/page.cgi?id=fields.html  --no-check-certificate --no-proxy
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = c:\program files\GnuWin32/etc/wgetrc
wgetrc_file_name = C:\home\e701501/.wgetrc
WARNING: cannot verify deos.ddci.com's certificate, issued by `/O=VeriSign Trust
 Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.
verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign':
  Unable to locally verify the issuer's authority.
WARNING: cannot verify deos.ddci.com's certificate, issued by `/O=VeriSign Trust
 Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.
verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign':
  Unable to locally verify the issuer's authority.
2009-05-18 15:26:29 URL:https://deos.ddci.com/bugzilla/page.cgi?id=fields.html [
27147] -> "page DOT cgi AT id=fields.html.2" [1]

real    0m3.918s
user    0m0.015s
sys     0m0.000s

$ ./wget --version
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = c:\program files\GnuWin32/etc/wgetrc
wgetrc_file_name = C:\home\e701501/.wgetrc
GNU Wget 1.11.4

Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic AT xemacs DOT org>.
Currently maintained by Micah Cowan <micah AT cowan DOT name>.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/