WebPagetest Forums
high SSL negotiation time on each request - Printable Version

+- WebPagetest Forums (https://www.webpagetest.org/forums)
+-- Forum: Web Performance (/forumdisplay.php?fid=3)
+--- Forum: Optimization Discussions (/forumdisplay.php?fid=5)
+--- Thread: high SSL negotiation time on each request (/showthread.php?tid=12651)



high SSL negotiation time on each request - tradiechoice - 11-14-2013 01:59 AM

My test shows, high ssl negotiation for ie8
http://www.webpagetest.org/result/131113_4N_Q2T/1/details/

Is there anything I can do on the server to fix this.


RE: high SSL negotiation time on each request - robzilla - 11-15-2013 12:27 AM

Seems to be less of a problem at other test locations:
http://www.webpagetest.org/result/131114_AB_N4S/1/details/
http://www.webpagetest.org/result/131114_CY_N53/1/details/

Your version of OpenSSL is quite old: 0.9.8 was released in 2005. Consider upgrading to RHEL6 (many advantages to that beside OpenSSL), which comes with 1.0.0 (released in 2009). You'll also benefit from Perfect forward secrecy, introduced with v1.


RE: high SSL negotiation time on each request - andydavies - 11-17-2013 08:50 AM

(11-14-2013 01:59 AM)tradiechoice Wrote:  My test shows, high ssl negotiation for ie8
http://www.webpagetest.org/result/131113_4N_Q2T/1/details/

Is there anything I can do on the server to fix this.

Turn on TCP keep-alive, serve the site and intermediate certificates together, enable SSL session resumption


RE: high SSL negotiation time on each request - pmeenan - 11-19-2013 01:03 AM

Yikes - yeah, keep-alives. Not having keep-alives sucks for non-SSL sites but it's insane for SSL sites.

And pretty much everything else Andy mentioned - but keep-alives first.


RE: high SSL negotiation time on each request - robzilla - 11-19-2013 04:29 AM

Hmm. Am I reading the headers incorrectly, then? Both the request and response headers include "Connection: Keep-Alive".


RE: high SSL negotiation time on each request - pmeenan - 11-19-2013 04:55 AM

The headers do claim to want the connections to be kept open. A tcpdump would show if they are getting closed on the client or server side.

Also, if the SSL cert isn't valid and you're ignoring cert errors it's possible that IE won't keep the connection alive.


RE: high SSL negotiation time on each request - andydavies - 11-26-2013 09:03 AM

There only appears to be a single test in this case (so this may not apply) but...

I have seen tests where a bunch of test agents crawling a site consumed all the available keep-alive connections on the server-side so some tests had keep-alive behaviour, and some didn't! Sad