rsync & SSL 'for real'

Aaron W Morris aaronwmorris at gmail.com
Wed Apr 18 21:40:59 GMT 2007


On 4/18/07, Carson Gaspar <carson at taltos.org> wrote:
> Lawrence D. Dunn wrote:
> > Colleagues,
> >   If you do pursue SSL functionality directly in rsync,
> >   please be sure to take a look at Chris Rapier's work
> >   to "fix" standard ssh implementations, at:
> >   http://www.psc.edu/networking/projects/hpn-ssh/
> >
> >   Turns out "-e ssh" using most libraries puts a fixed-window-size
> > ssh-windowing
> >   behavior on top of TCP - so for large bandwidth*delay product paths,
> >   even if you use large TCP buffers (which Wayne added for such paths),
> >   an "un-fixed" SSL library can clobber overall performance/throughput,
> >   even for a perfectly clean (no  errors/loss) path.
>
> SSL != SSH.

This still applies (depending on the ssl toolkit being used).  The
problem referenced here is the TCP window size is hard coded inside
the openssl library.  In order to change the window size, one must
patch openssl.

Of course, there is also the question of if openssl is the appropriate
toolkit to use with rsync.  I am not sure of the issues with a GPL
binary linking against a BSD library.  Perhaps GnuTLS is more
appropriate...  (I know... this is probably a whole different can of
worms.   :-) ).

-- 
Aaron W Morris (decep)


More information about the rsync mailing list