Current time: 12-16-2019, 11:14 PM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Increased secure connection latency
01-30-2014, 01:57 AM
Post: #1
Increased secure connection latency
I've noticed increased secure connection latency between DNS lookup and Initial Connections on many (but not all) of our HTTPS requests since about Jan 6th for our subdomains and 3rd parties alike.

Before - http://www.webpagetest.org/result/140106...8/details/
After - http://www.webpagetest.org/result/140120...8/details/

I've done some research and found that there's been a big shift in the industry from 1024-bit encryption to 2048-bit encryption between late 2013 and now. We're using 2048-bit encryption on our web servers. I know encrypting a longer key takes more time and CPU. Is it possible the test agents we're using through WPT are getting CPU bound? I can't figure out where this timing gap is coming from between DNS Lookup and Initial Connection all of the sudden.

We've checked our web servers and their CPU thresholds are fine. However we're still seeing recurring HTTPS connection latencies that are pushing out Fully Loaded Times by 1.2+ secs recently.

Any thoughts are greatly appreciated.

DigitalJeff
Find all posts by this user
Quote this message in a reply
02-07-2014, 03:20 AM
Post: #2
RE: Increased secure connection latency
Our support folks are still racking their brains on this issue. They're suggesting that it may be any of the following:
- an issue or change on the WPT side with how the IE-10 connection tasks are displayed in the waterfalls
- a change in how IE-10 handles 2048-bit encryption (not likely for this timeframe though)
- possible CPU/memory issues with the test agents
Have you had a chance to look at the test results in original post or have any suggestions on what's going on? We're really interested in knowing what the time delays are that are increasing our load times.
Thanks.
Find all posts by this user
Quote this message in a reply
02-07-2014, 03:53 AM
Post: #3
RE: Increased secure connection latency
Try turning on "Ignore Cert Errors" and see if the performance changes back to what you'd expect. The only change that I see in the history in that date range that seems likely to have impacted was this one: https://github.com/WPO-Foundation/webpag...7e0feb5404

Prior to the change, the IE 10+ agents were always ignoring cert errors and doing it by stubbing out the chain validation (which probably included OCSP checks). Now it is only stubbing it out when explicitly requested.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-07-2014, 04:58 AM
Post: #4
RE: Increased secure connection latency
Patrick,

I went ahead and reran a set of IE-10 tests ignoring certificate errors and the median time is back down to our normal range, which means now we know why the load times changed (the default behavior of the IE 10+ agents has changed).

However, I had recently checked all of our secure domain calls in the waterfalls with an SSL Checker, http://www.sslshopper.com/ssl-checker.html, and all the certs/chain validations checked out fine.

So, does checking the "ignore cert errors" box mean that the tests will not perform any chain validation/OCSP checks at all OR do we actually have cert errors on our page that the SSL Checker utility doesn't identify?

Thanks.
Find all posts by this user
Quote this message in a reply
02-07-2014, 05:19 AM
Post: #5
RE: Increased secure connection latency
The "ignore cert errors" completely bypasses the validation/OCSP, not just if errors are found which is why there's a performance difference between the two.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-07-2014, 05:56 AM (This post was last modified: 02-07-2014 06:15 AM by DigitalJeff.)
Post: #6
RE: Increased secure connection latency
Ok thanks. Since we're striving to re-create tests as close to "actual customer experience" as possible, we'll use the new IE 10+ default behavior and let the validation/OCSP execute, re-baseline our load times and explain the adjustment to our business stakeholders.

Thanks for providing such a great WPO tool!

Any way of showing the validation/OCSP activity in the waterfall for IE 10+ (like FF does)? I presume that's what the blank time gaps are between some of the DNS Lookup and Initial Connection tasks for secure domain requests or is that something else?
Find all posts by this user
Quote this message in a reply
02-11-2014, 01:53 AM
Post: #7
RE: Increased secure connection latency
Looking into it. It looks like the validation for IE is done out-of-process from the browser so I don't see the requests.
Visit this user's website Find all posts by this user
Quote this message in a reply
02-12-2014, 11:55 PM
Post: #8
RE: Increased secure connection latency
Is there another way to decipher what's going on underneath the hood at these times (between DNS and Initial Connection)? I see an option on the Advance tab for tcpdump (I'll try that and get back to you), but haven't used it before in WPT. I have looked at some WireShark tcplogs from my local machine a while back - maybe the outputs are similar? I'm trying to target some optimization efforts at the connection related requests to improve TTFB, SSL negotiations times, etc. and reduce page load times further (unless you see other lower hanging fruit opportunities in the waterfall to focus on).

IE10: http://www.webpagetest.org/result/140210...4/details/ (need more visibility into connection time gaps)
IE11: http://www.webpagetest.org/result/140210...7/details/ (doesn't show much detail in waterfall or request details to understand what's going on with this browser version)
Chrome: http://www.webpagetest.org/result/140210...ils/cached (shows 1+ sec longer Fully Loaded Time in summary table vs. Waterfall or Request Details sections?)

Any guidance in applying WPO with the varying levels of detail between the different browser results listed above would be greatly appreciated.
Thanks!
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)