Make SSL faster on Linux CentOS with Apache 2.4 OpenSSL 1.0

Question

colleagues!

Well, I am with a huge problem with the speed of SSL Authentication. Since I move my website to SSL, the GoogleBot reduce the indexing of my website, because the SSL Negotiation is with below value I got with WebPageTest.org:

URL: https://www.musiconline.com.br/jorge-e-mateus/alcapao/

Host: www.musiconline.com.br

Error/Status Code: 200

Client Port: 0

Start Offset: 0.735 s

DNS Lookup: 34 ms

Initial Connection: 170 ms

SSL Negotiation: 531 ms

Time to First Byte: 311 ms

Content Download: 178 ms

Bytes In (downloaded): 13.2 KB

Bytes Out (uploaded): 0.4 KB

Look, the "SSL Negotiation" is in 531ms, a big value.

Someone know how can I solve this issue?

---

I verified the mod_spdy, however, I can't install because the follow message in my Linux CentOS 6, Apache 2.4:

root@server1 [/home/login/src]# rpm -U mod-spdy-*.rpm

warning: mod-spdy-beta_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

error: Failed dependencies:

    httpd >= 2.2.4 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

    mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

---

root@server1 [/home/login/src]# httpd -v

Server version: Apache/2.4.12 (Unix)

Server built: Mar 21 2015 10:58:04

Cpanel::Easy::Apache v3.28.4 rev9999

---

root@server1 [/home/molbr/src]# uname -a

Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

---

Thanks for assistance.

Answer 1

Initial Connection: 170 ms

SSL Negotiation: 531 ms

Looking at a packet capture I can see that after the initial TCP handshake the client starts the Handshake and it then it takes a long time for the server to send all necessary data back (ServerHello, Certificates...). These data need 5 packets and due to various TCP magic and OS tuning the last packet will only be send once it got the acknowledgements for previous packets. In detail this TCP magic might probably be TCP slow start with a fixed initial congestion windows of 4 with the CentOS version you use (see https://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/).

What can you do: fix you certificate chain. If you look at the SSLLabs report you will see "Chain issues: Contains anchor" which means that you send the root certificate even though the root certificate will be ignored by the client and instead a trusted CA built into the client is used (trust chain must be built from local trust!). If you fix your configuration by removing this root certificate the data sent by the server will be shorter and you will not run into the slow-start problem.