Chapter 4
Configuring SSL Termination
Configuring the Delay Time for SSL Queued Data
OL-5655-01
SSL on the CSS queues packet data from the server and encrypts it for
transmission to the client. SSL empties the data from the queue and encrypts it for
transmission to the client when:
The queue fills to 16,400 bytes (the maximum SSL record size)
•
The server sends a TCP FIN packet
•
When the delay time on the CSS has passed, even though the queue has less
•
than 16,400 bytes
For efficiency, SSL encrypts data into SSL records with a maximum size of
16,400 bytes. In an attempt to fully queue 16,400 bytes for encryption, SSL delays
the emptying of the queue data for encryption.
You can use the ssl-server number ssl-queue-delay ms command to set the
amount of time for the CSS virtual SSL server to wait before emptying the queued
data for encryption. The default delay is 200 milliseconds. Enter a delay time
value in milliseconds from 0 (disabled) to 10000.
Setting the delay value to 0 disables the queuing of data. The virtual SSL server
on the CSS encrypts the data as soon as it arrives from the server and then sends
the data to the client.
For example, to configure a delay time value of 400 milliseconds, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 ssl-queue-delay 400
To reset the delay time to the default of 200 milliseconds, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 ssl-queue-delay
Configuring Virtual SSL Servers for an SSL Proxy List
Cisco Content Services Switch SSL Configuration Guide
4-41