Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Make SSL faster on Linux CentOS with Apache 2.4 OpenSSL 1.0

colleagues!

Well, I am with a huge problem with the speed of SSL Authentication. Since I move my website to SSL, the GoogleBot reduce the indexing of my website, because the SSL Negotiation is with below value I got with WebPageTest.org:

URL: https://www.musiconline.com.br/jorge-e-mateus/alcapao/

Host: www.musiconline.com.br

Error/Status Code: 200

Client Port: 0

Start Offset: 0.735 s

DNS Lookup: 34 ms

Initial Connection: 170 ms

SSL Negotiation: 531 ms

Time to First Byte: 311 ms

Content Download: 178 ms

Bytes In (downloaded): 13.2 KB

Bytes Out (uploaded): 0.4 KB

Look, the "SSL Negotiation" is in 531ms, a big value.

Someone know how can I solve this issue?


I verified the mod_spdy, however, I can't install because the follow message in my Linux CentOS 6, Apache 2.4:

root@server1 [/home/login/src]# rpm -U mod-spdy-*.rpm

warning: mod-spdy-beta_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

error: Failed dependencies:

    httpd >= 2.2.4 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

    mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

root@server1 [/home/login/src]# httpd -v

Server version: Apache/2.4.12 (Unix)

Server built: Mar 21 2015 10:58:04

Cpanel::Easy::Apache v3.28.4 rev9999


root@server1 [/home/molbr/src]# uname -a

Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


Thanks for assistance.

like image 693
Andre Luis de Andrade Avatar asked Sep 29 '22 11:09

Andre Luis de Andrade


1 Answers

Initial Connection: 170 ms

SSL Negotiation: 531 ms

Looking at a packet capture I can see that after the initial TCP handshake the client starts the Handshake and it then it takes a long time for the server to send all necessary data back (ServerHello, Certificates...). These data need 5 packets and due to various TCP magic and OS tuning the last packet will only be send once it got the acknowledgements for previous packets. In detail this TCP magic might probably be TCP slow start with a fixed initial congestion windows of 4 with the CentOS version you use (see https://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/).

What can you do: fix you certificate chain. If you look at the SSLLabs report you will see "Chain issues: Contains anchor" which means that you send the root certificate even though the root certificate will be ignored by the client and instead a trusted CA built into the client is used (trust chain must be built from local trust!). If you fix your configuration by removing this root certificate the data sent by the server will be shorter and you will not run into the slow-start problem.

like image 190
Steffen Ullrich Avatar answered Oct 16 '22 09:10

Steffen Ullrich