Re: Subversion authentication via SASL GSSAPI and likewise open

Tue, 31 Jul 2012 09:59:44 -0700 

Want to share some of my tests results:
/trunk - 1.80 GB (1,941,844,940 bytes) - 148,114 Files; 52,519 Folders
--------------------------------------------------------------------------------
Old Hardware Server - Ubuntu 9.04:
 svn, version 1.5.4 (r33841) compiled Aug  7 2009, 01:44:11
co svn://  ~ 23m 32sec
co https:// ~ 30m 10sec
svn vs https perf, % ~ > 28%
        
up svn:// ~ 3m 22sec
up https:// ~ 5m 04sec
svn vs https perf, % > 50%
--------------------------------------------------------------------------------
New Hardware Server - Ubuntu 12.04:
svn, version 1.6.17 (r1128011) compiled Dec 17 2011, 16:12:52
co svn://  ~ 18m 30sec
co https:// ~ 22m 47sec
svn vs https perf, % ~ > 23%
        
up svn:// ~ 2m 06sec
up https:// ~ 2m 35sec
svn vs https perf, % ~ > 23%
--------------------------------------------------------------------------------
New Hardware Server - Ubuntu 12.04:
svn, version 1.7.5 (r1336830) compiled Jul 19 2012, 21:53:29
co svn://  ~ 22m 50sec
co https:// ~ 24m 00sec
svn vs https perf, % ~ > 5%
        
up svn:// ~ 2m 38sec
up https:// ~ 2m 28 sec
svn vs https perf, % ~ < 7%
--------------------------------------------------------------------------------
I can see that in general performance didn't increase so much.
But difference between svn and http decreased.

On Thu, Jul 26, 2012 at 12:21 PM, Cooke, Mark <mark.co...@siemens.com> wrote:
>
> Note: please reply in-line and, if at all possible, in _plain_ text, not
> html...
>
>> On Thu, Jul 26, 2012 at 11:50 AM, Cooke, Mark
>> <mark.co...@siemens.com> wrote:
>>
>>       > On Thu, Jul 26, 2012 at 9:38 AM, Cooke, Mark
>>       > <mark.co...@siemens.com> wrote:
>>       >
>>       >
>>       >       > -----Original Message-----
>>       >       > From: xumuku [mailto:xum...@gmail.com]
>>       >       > Sent: 25 July 2012 16:49
>>       >       > To: subversion_us...@googlegroups.com
>>       >       > Cc: users@subversion.apache.org; xum...@gmail.com
>>       >       > Subject: Re: Subversion authentication via
>> SASL GSSAPI and
>>       >       > likewise open
>>       >       >
>>       >       > My current  /usr/lib/sasl2/svn.conf is:
>>       >       >
>>       >       > pwcheck_method: saslauthd
>>       >       > mech_list: GSSAPI
>>       >       > saslauthd_path: /var/run/saslauthd/mux
>>       >       > log_level: 7
>>       >       >
>>       >       > But I get the error:
>>       >       > Cannot negotiate authentication mechanism
>>       >       >
>>       >       > 1. Does *anyone* have Windows SVNServe
>> authenticating to
>>       >       > AD/Kerberos via SASL/GSSAPI?
>>       >       >
>>       > <http://stackoverflow.com/questions/10407077/does-anyone-have-
>>       > windows-svnserve-authenticating-to-ad-kerberos-via-sasl-gssap>
>>       >       > 2. Cannot negotiate authentication mechanism
>>       >       >
>>       > <http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065
>>       > &viewType=browseAll&dsMessageId=65725#messagefocus>
>>       >
>>       >       No (sorry), we use https via apache and mod_ldap to
>>       > authenticate against AD.  I am interested to know why you
>>       > think that is not secure enough (perhaps you have *nix
>>       > clients storing plain text passwords?)
>>       >
>>       >       ~ mark c
>>       >
>>       > Because it works only with PLAIN auth:
>>
>>       Ah, ok, yes, I did say we use https.  The server is
>> configured to redirect all http traffic to https (using
>> mod_ssl) and authentication then happens in that encrypted
>> environment (or am I being naïve here?)
>>
>>       > tcpdump -ni eth0 -A src host 192.168.1.2 and tcp dst port 3690
>>       >
>>       >
>>       > 17:10:10.488834 IP 192.168.1.2.59751 > 192.168.1.1.3690:
>>       > Flags [P.], seq 145:184, ack 166, win 65115, length 39
>>       > E..O.b@...."..@...@     .g.j....~...P..[....( PLAIN (
>>       > 21:AHVzZXIAcGFzc3dvcmQ=
>>       >
>>       >
>>       > http://www.opinionatedgeek.com/dotnet/tools/base64decode/ -
>>       > and you can see my sername and password
>>       >
>>       >
>>       > We already have Apache via mod_svn and mod_ldap but
>> it is very slow.
>>
>>       What is very slow?  I know we don't have many users and
>> are on an internal network but I have no issue with our speeds...
>>
>>       ~ mark c
>>
>> -----Original Message-----
>> From: slaventii [mailto:xum...@gmail.com]
>> Sent: 26 July 2012 09:58
>> To: Cooke, Mark
>> Cc: users@subversion.apache.org
>> Subject: Re: Subversion authentication via SASL GSSAPI and
>> likewise open
>>
>> >Ah, ok, yes, I did say we use https.  The server is
>> configured to redirect all http traffic >to https (using
>> mod_ssl) and authentication then happens in that encrypted
>> >environment (or am I being naïve here?)
>> As I wrote we already have Apache with HTTPS. All is good
>> except speed.
>
> Sorry, I read the list, not links to other sites.
>
>> >What is very slow?  I know we don't have many users and are
>> on an internal network >but I have no issue with our speeds...
>>
>> And this is not only our opinion - Svnserve VS mod_dav_svn
>> <http://stackoverflow.com/questions/502585/svnserve-vs-mod-dav-svn> .
>>
>> SVN + Apache - slow.
>> SVN + SASL-Ldap - insecure.
>> SVN + SASL-GSSAPI - in progress :)
>
> As mentioned in one of the answers to your stackoverflow question (seeing
> as you insist on referencing it), svn 1.7 uses a new, faster protocol for
> mod_dav which you will be using by default if setting up a new repo and
> using up-to-date clients...  Remember the version (1.4.5) benchmarked was
> released in 2007!
>
> Have you actually run any benchmark trials yourself comparing https and
> svnserve on your network?  If your network is slow (not the server) then it
> may not actually matter which you use!
>
> ~ mark c

Reply via email to