XML-RPC and bcrypt
60 views
Skip to first unread message
Cédric Krier
May 20, 2016, 6:50:04 PM5/20/16
to Tryton
Hi,
I would like to share some experiences I just get with XML-RPC.
Indeed, I was checking the XML-RPC from proteus on demo4.0.tryton.org
(port 80). And I found that it was really slower than the
demo3.8.tryton.org (port 8069).
At first, I thouth it was a reverse-proxy issue, but both server runs
under similar configuration.
Then I thought it was an issue like [1] and that Nagle should be
disabled also on Linux. But it did not change any thing.
Finally, I timeout each method used and I found that it was the login
check. Demo 4.0 is using bcrypt for the password and 3.8 sha1.
And so the password in 4.0 is quite slow because of the design of bcrypt
and this check is done on each request.
As it is not so obvious, I think it is good to share it.
So if you want to use XML-RPC with Basic authentication, you should be
careful about the encryption used for the password.
PS: I'm wondering if we should allow to configure which hashing method
to use for specific user.
[1] https://bugs.tryton.org/issue5552
--
Cédric Krier - B2CK SPRL
Email/Jabber: cedric...@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
I would like to share some experiences I just get with XML-RPC.
Indeed, I was checking the XML-RPC from proteus on demo4.0.tryton.org
(port 80). And I found that it was really slower than the
demo3.8.tryton.org (port 8069).
At first, I thouth it was a reverse-proxy issue, but both server runs
under similar configuration.
Then I thought it was an issue like [1] and that Nagle should be
disabled also on Linux. But it did not change any thing.
Finally, I timeout each method used and I found that it was the login
check. Demo 4.0 is using bcrypt for the password and 3.8 sha1.
And so the password in 4.0 is quite slow because of the design of bcrypt
and this check is done on each request.
As it is not so obvious, I think it is good to share it.
So if you want to use XML-RPC with Basic authentication, you should be
careful about the encryption used for the password.
PS: I'm wondering if we should allow to configure which hashing method
to use for specific user.
[1] https://bugs.tryton.org/issue5552
--
Cédric Krier - B2CK SPRL
Email/Jabber: cedric...@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
Albert Cervera i Areny
May 21, 2016, 6:30:09 PM5/21/16
to try...@googlegroups.com
2016-05-21 0:46 GMT+02:00 Cédric Krier <cedric...@b2ck.com>:
> Hi,
>
> I would like to share some experiences I just get with XML-RPC.
>
> Indeed, I was checking the XML-RPC from proteus on demo4.0.tryton.org
> (port 80). And I found that it was really slower than the
> demo3.8.tryton.org (port 8069).
>
> At first, I thouth it was a reverse-proxy issue, but both server runs
> under similar configuration.
> Then I thought it was an issue like [1] and that Nagle should be
> disabled also on Linux. But it did not change any thing.
> Finally, I timeout each method used and I found that it was the login
> check. Demo 4.0 is using bcrypt for the password and 3.8 sha1.
> And so the password in 4.0 is quite slow because of the design of bcrypt
> and this check is done on each request.
>
> As it is not so obvious, I think it is good to share it.
Sure. Thanks for sharing.
> Hi,
>
> I would like to share some experiences I just get with XML-RPC.
>
> Indeed, I was checking the XML-RPC from proteus on demo4.0.tryton.org
> (port 80). And I found that it was really slower than the
> demo3.8.tryton.org (port 8069).
>
> At first, I thouth it was a reverse-proxy issue, but both server runs
> under similar configuration.
> Then I thought it was an issue like [1] and that Nagle should be
> disabled also on Linux. But it did not change any thing.
> Finally, I timeout each method used and I found that it was the login
> check. Demo 4.0 is using bcrypt for the password and 3.8 sha1.
> And so the password in 4.0 is quite slow because of the design of bcrypt
> and this check is done on each request.
>
> As it is not so obvious, I think it is good to share it.
> So if you want to use XML-RPC with Basic authentication, you should be
> careful about the encryption used for the password.
>
> PS: I'm wondering if we should allow to configure which hashing method
> to use for specific user.
worth making it configurable on trytond.conf because currently it only
depends on the availability of the bcrypt package. If it's there, it
is used.
>
>
> [1] https://bugs.tryton.org/issue5552
>
> --
> Cédric Krier - B2CK SPRL
> Email/Jabber: cedric...@b2ck.com
> Tel: +32 472 54 46 59
> Website: http://www.b2ck.com/
>
> You received this message because you are subscribed to the Google Groups "tryton" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20160520224656.GP13326%40tetsuo.
--
Albert Cervera i Areny
http://www.NaN-tic.com
Tel. 93 553 18 03
Cédric Krier
May 22, 2016, 2:35:04 AM5/22/16
to try...@googlegroups.com
On 2016-05-22 00:29, Albert Cervera i Areny wrote:
> > PS: I'm wondering if we should allow to configure which hashing method
> > to use for specific user.
>
> I think that would be a little bit too much. But maybe it would be
> worth making it configurable on trytond.conf because currently it only
> depends on the availability of the bcrypt package. If it's there, it
> is used.
But it is based on the principal to use the best available by default.
> > PS: I'm wondering if we should allow to configure which hashing method
> > to use for specific user.
>
> I think that would be a little bit too much. But maybe it would be
> worth making it configurable on trytond.conf because currently it only
> depends on the availability of the bcrypt package. If it's there, it
> is used.
bcrypt is better than sha1 because of this CPU constraint.
But maybe, it could be configurable and if there is no configuration, we
use the best.
Albert Cervera i Areny
May 22, 2016, 6:46:45 AM5/22/16
to try...@googlegroups.com
2016-05-22 8:31 GMT+02:00 Cédric Krier <cedric...@b2ck.com>:
> On 2016-05-22 00:29, Albert Cervera i Areny wrote:
>> > PS: I'm wondering if we should allow to configure which hashing method
>> > to use for specific user.
>>
>> I think that would be a little bit too much. But maybe it would be
>> worth making it configurable on trytond.conf because currently it only
>> depends on the availability of the bcrypt package. If it's there, it
>> is used.
>
> But it is based on the principal to use the best available by default.
> bcrypt is better than sha1 because of this CPU constraint.
> But maybe, it could be configurable and if there is no configuration, we
> use the best.
+1
> On 2016-05-22 00:29, Albert Cervera i Areny wrote:
>> > PS: I'm wondering if we should allow to configure which hashing method
>> > to use for specific user.
>>
>> I think that would be a little bit too much. But maybe it would be
>> worth making it configurable on trytond.conf because currently it only
>> depends on the availability of the bcrypt package. If it's there, it
>> is used.
>
> But it is based on the principal to use the best available by default.
> bcrypt is better than sha1 because of this CPU constraint.
> But maybe, it could be configurable and if there is no configuration, we
> use the best.
>
> --
> Cédric Krier - B2CK SPRL
> Email/Jabber: cedric...@b2ck.com
> Tel: +32 472 54 46 59
> Website: http://www.b2ck.com/
>
> --
> You received this message because you are subscribed to the Google Groups "tryton" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20160522063138.GR13326%40tetsuo.
> You received this message because you are subscribed to the Google Groups "tryton" group.
Cédric Krier
May 23, 2016, 3:40:04 AM5/23/16
to try...@googlegroups.com
On 2016-05-22 12:46, Albert Cervera i Areny wrote:
> 2016-05-22 8:31 GMT+02:00 Cédric Krier <cedric...@b2ck.com>:
> > On 2016-05-22 00:29, Albert Cervera i Areny wrote:
> >> > PS: I'm wondering if we should allow to configure which hashing method
> >> > to use for specific user.
> >>
> >> I think that would be a little bit too much. But maybe it would be
> >> worth making it configurable on trytond.conf because currently it only
> >> depends on the availability of the bcrypt package. If it's there, it
> >> is used.
> >
> > But it is based on the principal to use the best available by default.
> > bcrypt is better than sha1 because of this CPU constraint.
> > But maybe, it could be configurable and if there is no configuration, we
> > use the best.
>
> +1
Filled: https://bugs.tryton.org/issue5569
> 2016-05-22 8:31 GMT+02:00 Cédric Krier <cedric...@b2ck.com>:
> > On 2016-05-22 00:29, Albert Cervera i Areny wrote:
> >> > PS: I'm wondering if we should allow to configure which hashing method
> >> > to use for specific user.
> >>
> >> I think that would be a little bit too much. But maybe it would be
> >> worth making it configurable on trytond.conf because currently it only
> >> depends on the availability of the bcrypt package. If it's there, it
> >> is used.
> >
> > But it is based on the principal to use the best available by default.
> > bcrypt is better than sha1 because of this CPU constraint.
> > But maybe, it could be configurable and if there is no configuration, we
> > use the best.
>
> +1
Reply all
Reply to author
Forward
0 new messages