|
Description
|
when testing pkcs11 engine performance, I can see that from 5000 SSL connections fired up against my amd64 workstation, with Apache 2.2.4 using "SSLCryptoDevice pkcs11", usually 5-10 of them fail:
./http_load: SSL connection failed - -1
14108:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:../../../../common/openssl/ssl/s3_pkt.c:426:
https://andal.czech:443: byte count wrong
I can reproduce it only on amd64, not on T1000. Apache mode is worker, with this configuration:
<IfModule worker.c>
ListenBacklog 512
ServerLimit 2
#ThreadLimit 64
MaxClients 128
StartServers 2
ThreadsPerChild 64
#MinSpareThreads 16384
#MaxSpareThreads 16384
MaxRequestsPerChild 0
</IfModule>
client was http_load, more precisly 10 http_load processes, all run from another machine on a local network, each process using 10 parallel connections, up to 500 https fetches (5000 https connections en total). This is how one process is started:
./http_load -cipher DES-CBC3-SHA -parallel 10 -fetch 500 https-url-file
this happens after 6540060 was fixed so it's most probably a different problem. When pkcs11 engine is not used by Apache, the problem dissapears. When worker mode uses more processes, 1 thread per each process, problem dissapers.
On T1000, this problem can't be reproduced even when ncp provider is disabled which forces pkcs11_softtoken to be used.
All mentioned here leads me to assumption that it's very probably another race condition in the pkcs11 engine itself, when used in multithreaded environment.
|