Gaps in waterfall specifically in IE
|
10-02-2014, 02:42 AM
Post: #11
|
|||
|
|||
RE: Gaps in waterfall specifically in IE
Thanks, Sundeep.
So you have a support link / number about the OSCP stapling not being supported for custom domains on CloudFront? SSL Labs showing OSCP stapling enabled on cdn0.apartmentlist.com (which is powered by cloudfront). Perhaps the issue is already fixed? |
|||
10-02-2014, 06:55 PM
Post: #12
|
|||
|
|||
RE: Gaps in waterfall specifically in IE
Hello Matt,
Yes we have a ticket number and the latest update says AWS is investigating the issue and their product teams are on the case. It is an internal support case so you might not be able to view the ticket history/details. What you say is correct. For apartmentlist.com OSCP stapling works even for custom domains. In our case OSCP stapling doesn't work for custom domains. We cross checked both the URL's in SSL Labs. We also shared this finding with AWS(for apartmentlist.com OSCP stapling works). |
|||
10-27-2014, 04:17 AM
Post: #13
|
|||
|
|||
RE: Gaps in waterfall specifically in IE
I work with Sundeep, and we finally figured out what was wrong.
The AWS support team checked on their side and confirmed that everything worked well, but the way we did our tests for OCSP stapling was actually flawed. The OCSP stapling happens at the CloudFront edge level so every node from an edge location needs to do it. The first request returns immediately a non-stapled answer and the node fires an OCSP request to our CA and then caches the answer which is then used for the subsequent requests hitting that edge node. (The nodes currently don't share these caches, but I filed a feature request so that they try to use a shared storage for that content, like they do for static content.) During our test we only executed a relatively small number of requests, so we never hit the same edge node twice and that's why it appeared the stapling was broken. When testing you need to fire a few hundreds of requests until consistently getting stapled responses. As for explaining the rest of the gap from our waterfall graph, we saw that it often happens that the CPU is maxed out while loading our app, for multiple reasons:
|
|||
10-27-2014, 04:43 AM
Post: #14
|
|||
|
|||
RE: Gaps in waterfall specifically in IE
(09-30-2014 08:59 AM)quarterdome Wrote: The results from a Thinkpad look way more reasonable. The CPU usage is the bottleneck. I think you have too many SSL connections being set up in parallel, those are quite heavy on the CPU. If possible, try to switch to a CDN provider that supports SPDY, so you'll only have an SSL connection to each of your domains. |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 1 Guest(s)