From owner-freebsd-questions@FreeBSD.ORG  Tue Feb 24 13:54:42 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A6D8C4B4;
 Tue, 24 Feb 2015 13:54:42 +0000 (UTC)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com
 [IPv6:2607:f8b0:4001:c05::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 68616C8E;
 Tue, 24 Feb 2015 13:54:42 +0000 (UTC)
Received: by mail-ig0-f176.google.com with SMTP id hl2so26659956igb.3;
 Tue, 24 Feb 2015 05:54:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=dim6QY6A+sjuWQIiSmoHVRUpLglMk/F4IiDpdusPq0E=;
 b=UwwagmN1KP1xyQNauaIwUt16zkM5yTIzj6cM74DwczFuezdoOgPTWXYKjkPBiaDSoT
 w2R9ckP3JZyUDQtbTNEgPX2oKGh5ZmyAQQHnsyKnHW0GKIBFNgM2D2qC3pJFpVNhdTEs
 Jq55Ec/NFma0mvE7Qj2mH88Typ0HQhXIQkWTUdsB/jCLHHyjL9LCp40rynVWKN+BEkhq
 pgI5ur68oQzoM04ifg2sjYtWEw/5qLcSRgJ1k5muPCJRwpwTooQ1gmjQ09f+Y5AUZUJg
 Djs7ke6JnEimjJEdoHDtdfBKOxqrfpoCBDk3HDmVDAVbJSCxJzvdt1LDN8JGZjYz2T13
 JkYw==
MIME-Version: 1.0
X-Received: by 10.42.113.2 with SMTP id a2mr17565971icq.30.1424786081723; Tue,
 24 Feb 2015 05:54:41 -0800 (PST)
Received: by 10.64.18.161 with HTTP; Tue, 24 Feb 2015 05:54:41 -0800 (PST)
In-Reply-To: <CALnnSEhKJv67sYb+_VXV0COfLYhtAgNZsy_fGM6PJHsAhCeQ=g@mail.gmail.com>
References: <CALnnSEivExhv=v5jJ3xxFmJANCQs9Y+B7LFyEPeA1wtjk1zJwA@mail.gmail.com>
 <CAJ-Vmo=ggjvGPYqN5QS-cYF5zdLHMZixp7xXunDCE3s8xp2fmQ@mail.gmail.com>
 <CAJ-Vmon=UzYCqrTAS0C_CSB4sBnsU13TTWae5Wkxvhm01Aoozw@mail.gmail.com>
 <CALnnSEhKJv67sYb+_VXV0COfLYhtAgNZsy_fGM6PJHsAhCeQ=g@mail.gmail.com>
Date: Tue, 24 Feb 2015 14:54:41 +0100
Message-ID: <CALnnSEhso69YTmvo_7KUgixzDAci2-whhm8K0cwJE+u+EBxThg@mail.gmail.com>
Subject: Re: HTTPS/TLS issue on a NDIS wrapped NIC
From: Simone Lombardo <evil.lombo@gmail.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: Adrian Chadd <adrian@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 13:54:42 -0000

Hi,

still regarding the issue, I have made some more tests on the weekend.

A---------------->B
browser      webserver

Monitoring the packets on the NIC endpoints via Wireshark and doing HTTP
and HTTPS/TLS calls to a demo webserver, I have found the origin of both
the problems is due to the A nic not trasmitting packets while not
reporting them as dropped. The TCP rentrasmission is due to B not receiving
the packet and triggering the A fast rexmit routine due to missing ACK of
the lost packet. The packet rexmit always fail and so after the retry count
limit is hit, the connection is reset.

I have made some more tuning and the issue seems related to TCP send buffer.

With the default FreeBSD 10.1 value for net.inet.tcp.sendspace (32768) e
net.inet.tcp.sendbuf_max (2097152), I can't transmit more than 15Kb of a
binary via POST without provoking the issue.

Changing them both to a certain values makes the behaviour better.

For example, I have tried to set both oid it to 512,1024 and 5000 and now I
could upload up to 1.5 Mb data without issue. But changing it to other
values, for example 513, 1025 and 5001 makes the behaviour triggering.

Since lowering the buffer makes the perfomance worse, I have thought about
upload rate being much faster than the NIC could currently support so I
have set up a IPFW filter and pipeing the data to a really limited outgoing
bandwitch (for example 6kb/s) but it made no effect.

I have the sensation it is due some buffer alignment from the TCP buffer
size and the internal NIC buffer, but I have not yet investigate so far
(that it would probably requires if_ndis module tweaking).

The receiving buffer settings have no problems and changing MTU/MSS makes
no effect in the test case.

If someone has a sudden inspiration and advices, in the meantime I am
collecting some more evidences :)

Thanks,

Simone

2015-02-08 15:59 GMT+01:00 Simone Lombardo <evil.lombo@gmail.com>:

>  Hi Adrian,
>
> thanks for the reply. I have not seen other side effect other than cited
> ones. it works fine also with various P2P and FTP protocols for instance.
>
> I have probed the interface with netstat -id but the dropped and error
> packet counters sign 0, so it doesn't seem explicity droppped by the
> if_ndis module.
> I guess further investigations requires a demo web server to check if it
> is the remote peer to discard packets or the nic is falsely reporting their
> transmission.
>
> Is there any sysctl or debug feature you know to check if it discarded by
> the local upper layers?
>
> Thanks,
> Simone
>
> 2015-02-07 17:30 GMT+01:00 Adrian Chadd <adrian@freebsd.org>:
>
>> .. or if that isn't breaking things, maybe there's some packet
>> corruption going on that triggers encryption failures? Normally a
>> corrupted packet would just be dropped by some part of the stack.
>>
>>
>> -adrian
>>
>
>