WebPagetest Forums
SSL Settings - Printable Version

+- WebPagetest Forums (http://www.webpagetest.org/forums)
+-- Forum: Web Performance (/forumdisplay.php?fid=3)
+--- Forum: Optimization Discussions (/forumdisplay.php?fid=5)
+--- Thread: SSL Settings (/showthread.php?tid=1651)



SSL Settings - RuudBoon - 08-12-2011 01:15 AM

Hi,

I'm wondering if it's possible to speed-up the handshake of concurrent ssl connection.

For example.
- In the browser I'm opening https://test.nl
- The ssl handshake completes and the index page get's served.
- The index page requires to load some css, js and images. So 4 concurrent connections (depending on the browser) will be loaded. They will share the cookies etc. But every connection needs to do a new handshake (400ms in this case)

I know you can reuse the same connection if the server supports it. (Testing it like this: openssl s_client -connect example.nl:443 -reconnect )

Is there a way to skip the handshake and reuse the session for the new connections?


RE: SSL Settings - pmeenan - 08-12-2011 10:22 AM

Largely you need client-side support for that. Chrome has been pushing really hard to make SSL as fast as possible and will reuse the sessions (as well as a bunch of other improvements and spec changes to eventually eliminate all of the extra round trips).

More info:
http://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00.html
https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00
http://tools.ietf.org/html/draft-agl-tls-snapstart-00


RE: SSL Settings - Lennie - 01-30-2012 10:11 AM

Some HTTPS tips:

First check to see how you are doing on the security side:
https://www.ssllabs.com/ssldb/

Second, if you are technical enough you should check if the HTTPS webserver is setup correctly, so sessionids should work (if they don't you will have a lot worse performance for multiple connections).

Next thing is to check if Chrome is able to connect to your site with 'false start', so your site doesn't have to be added to blacklist.

Some other things you could do:
setup your whole site to use a CDN, that way the connection time for HTTPS goes down, because the initial connection time is limited by the latency between the client (browser) and server.

An other trick you could do, because that data is kind of large and not compressed is to shorten the certificate chain. Try to find a CA which does not need a 'intermediate certificate' and which is already supported by all browsers that might use your site. You do not need to include the certificate which is already in the browsers. So if there is no intermediate needed, you can remove the whole chain and only send the certificate for the site.

You should also keep an eye on SPDY, there is currently a production ready webserver which supports SPDY out of the box but when there is you should start to set that up. With the 'Alternative' header. Chrome already support SPDY, Firefox will probably enable it in Firefox 11.