Slow TLS with FreeBSD 8.1-AMD64 DomU


New Member

Messages: 10

Hi all,

I have a strange problem with TLS sessions that pass through my FreeBSD 8.1 DomU machine:

Dom0 is Citrix XenServer 5.6.

Situation 1:

client<-interface xn0->FreeBSD DomU(with pf,rdr rules)<-interface xn1->webserver(HTTPS)

HTTPS pages took about 10 minutes to open. No issues with HTTP or other non-TLS traffic.

Situation 2:

client<-interface xn0->FreeBSD DomU(squid reverse proxy,no firewall)<-interface xn0->webserver(HTTPS)

The same again, incredibly slow. Client<->squid connection is HTTPS. When i change squid<->webserver connection to HTTP, everything is back to normal.

I've tried porting entire configuration to CentOS 5.5 DomU and everything works like charm (without any squid.conf modifications except directory locations).

Also, I've noticed TCP checksum errors when comunicating with FreeBSD DomU. TCP offloading options were the cause, and disabling them resolved this issue. However, this had no impact on TLS sessions. I've captured some sessions with Wireshark and tcpdump, and only error i got is harmless warning about self-signed certificate.

Problem persists whether I use XENHVM or stock GENERIC kernel.

I haven't tried recently, but u can't remember of any similar issue when using physical server instead of DomU.

HELP! I dont want CentOS, i want FreeBSD x( x( x(