Current time: 12-12-2019, 11:05 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSL Gaps
11-17-2015, 03:44 AM (This post was last modified: 11-17-2015 03:45 AM by johnrussell9983.)
Post: #1
SSL Gaps
Hey Pat,
We started seeing some odd behavior in our waterfalls starting around Oct 29/30th. We are seeing long SSL gaps with our sites with EV certs. In some cases the waterfall looks normal(run 1) but all other cases have the gap. We've checked on our side and can't pin this down to anything that was changed. It's across several of our sites and we can't find a common link between them. Is there anything going on with the WPT system that would cause this?

http://www.webpagetest.org/result/151116_ZT_12EC/

Thanks!
Find all posts by this user
Quote this message in a reply
12-03-2015, 11:19 PM
Post: #2
RE: SSL Gaps
Hi,

The gaps is when the browser is issuing OCSP requests to check the validity of the certificates. In case of EV chain it seems to be aggresive, and will try to check the status of all of the certificates in the chain, and it also seems that this operation is blocking.

Unfortunately it's not shown in the waterfall - it's just a gap, but if you swithc to firefox - it all becomes clear - what is going on behind the scenes, you can see all the ocsp requests clearly. Have a look here:

http://www.webpagetest.org/result/151203...1/details/

You can enable OCSP stapling on your server - but this will cut just one OCSP request, the rest will still be there.

Debugging OCSP is hard, as no dev tolls will show you those requests being made - you need to dump the traffic, and analyze it later. You can do it easily in WPT in the options.

Regards,
Arek
Find all posts by this user
Quote this message in a reply
12-16-2015, 04:26 AM
Post: #3
RE: SSL Gaps
Just a follow up. Noticed this issue is no longer happening and we have not changed anything on our side. This had to have been some kind of bug with WPT and EV certs:

http://www.webpagetest.org/result/151215_EG_1024/


Thanks for your replies!
Find all posts by this user
Quote this message in a reply
12-18-2015, 01:31 AM
Post: #4
RE: SSL Gaps
There were 2 changes made recently that could be responsible:

1 - I switched back to using dev tools timing data instead of netlog. It's more reliable but not as granular and it's possible that gaps could now be hidden in the actual negotiation times. I have work on deck that will remove any dependency on getting timings from Chrome but it won't be ready for a few months.

2 - (most likely) I changed the chrome extension to not intercept every network request to modify the outbound headers and add the PTST string to the UA string (it is added differently now). Apparently there is a CRAZY amount of overhead in routing the requests through the extension.
Visit this user's website Find all posts by this user
Quote this message in a reply
12-18-2015, 02:14 AM
Post: #5
RE: SSL Gaps
Awesome! Thanks for the response Pat! I know we bug you a lot about bugs and such with WPT but it shows you how much our company relies on your tool. Keep up the great work! Smile
Find all posts by this user
Quote this message in a reply
01-06-2016, 09:54 PM (This post was last modified: 01-07-2016 12:22 AM by agoralski.)
Post: #6
Brick RE: SSL Gaps
Hi,

I can also confirm that the gaps are gone now, thanks Pat!

However I still think there is a bug with grading the time to first byte with EV certificates, please check the following:

Test with non-EV certificate:
http://www.webpagetest.org/result/160106_MT_J5Z/

TTFB: 0.637s and it gives the grade "A"

Test with EV certificate:
http://www.webpagetest.org/result/160106_6D_JSX/

TTFB: 0.542s and it gives the grade "F"

This doesn't make any sense, all the metrics are faster than the ones from the non-EV test, but the EV one is still getting the "F" grade. It's as if the gaps were still there - maybe not visible anymore in the waterfall, but these are still taken into account when calculating the grade?

Any help appreciated.

Regards,
Arek
Find all posts by this user
Quote this message in a reply
01-06-2016, 11:21 PM
Post: #7
RE: SSL Gaps
Thanks. I'm planning on re-vamping the target TTFB logic as it seems to have a fair number of cases where it is calculated incorrectly. Should be fixed in the next couple of days.
Visit this user's website Find all posts by this user
Quote this message in a reply
01-09-2016, 02:29 AM
Post: #8
RE: SSL Gaps
OK, just finished fixing the TTFB grading logic so it should be a lot more consistent (and logical) now.
Visit this user's website Find all posts by this user
Quote this message in a reply
01-11-2016, 06:25 PM (This post was last modified: 01-11-2016 07:37 PM by agoralski.)
Post: #9
RE: SSL Gaps
(01-09-2016 02:29 AM)pmeenan Wrote:  OK, just finished fixing the TTFB grading logic so it should be a lot more consistent (and logical) now.

Thanks Pat, I can confirm that it works now!

Regards,
Arek
Find all posts by this user
Quote this message in a reply
01-12-2016, 12:58 PM
Post: #10
RE: SSL Gaps
(01-09-2016 02:29 AM)pmeenan Wrote:  OK, just finished fixing the TTFB grading logic so it should be a lot more consistent (and logical) now.
Is this also partly addressing the unattainable target FBT times when a CDN is detected?
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)