logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL handshake taking too long
Author
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 01 Jan '16 11:30    Post subject: SSL handshake taking too long Reply with quote
Hello!

I have installed apache2 with ssl on centos. my application taking too long in ssl conenction in browser. please guide
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
PostPosted: Fri 01 Jan '16 12:49    Post subject: Reply with quote
In any browser?

How did you install the SSL Cert?
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 01 Jan '16 14:00    Post subject: Reply with quote
yes any broswer.

got the ssl from Authority and place .crt and .key files on the path menioned in .conf file
Back to top
maba



Joined: 05 Feb 2012
Posts: 64
Location: Germany, Heilbronn
PostPosted: Fri 01 Jan '16 21:15    Post subject: Reply with quote
Still very little detail.

How long is too long? How does it compare to the same setup without SSL?

It might be a problem with DNS. It is important for SSL that DNS is resolving both the A and the PTR record properly.
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 01 Jan '16 22:35    Post subject: Reply with quote
We are not using without ssl.We are using node and php in apache. browser shows It takes around 900ms in ssl hand shake.
want to show u the screenshot, how can i attach?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
PostPosted: Sat 02 Jan '16 22:27    Post subject: Reply with quote
mmfarooq@live.com wrote:

want to show u the screenshot, how can i attach?


Google for image hosting upload your image and post the url to that image here.
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Sun 03 Jan '16 19:12    Post subject: Reply with quote
http://s12.postimg.org/3u7q40mr1/Screen_Shot_2016_01_01_at_12_26_20_PM.png


Here is the time shown for ssl calls in browser (chrome)
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
PostPosted: Mon 04 Jan '16 8:38    Post subject: Reply with quote
What kind of keysize? (2048 or 4096 ... ?)
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Mon 04 Jan '16 8:54    Post subject: Reply with quote
Jraute key size is 2048..
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
PostPosted: Mon 04 Jan '16 12:53    Post subject: Reply with quote
Is only the handshake taking that long and afterwards it is fast or does it take that time for every request?

Have a look at http://unmitigatedrisk.com/?p=234

(Between 500ms and 1000ms can be very normal depending on the infrastructure.)
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Mon 04 Jan '16 13:47    Post subject: Reply with quote
after ssl call, it looks good, really fast. every SSL call is taking too much time.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
PostPosted: Mon 04 Jan '16 16:18    Post subject: Reply with quote
i've just checked the response time for one of our webservers and i have to say that the ocsp-request to globalsign with 597ms causes most of the time.

So in your case 800ms are maybe very normal.

Have in mind that in case of servers behind a company firewall (for example in a dmz) response times can be increased.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
PostPosted: Mon 04 Jan '16 17:53    Post subject: Reply with quote
You can try SSLStaplingCache


Code:
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)

# the default is 600 what is way too long
SSLStaplingErrorCacheTimeout 2
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Tue 05 Jan '16 15:28    Post subject: Reply with quote
ssl ache entries in my ssl.conf is


SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
PostPosted: Tue 05 Jan '16 17:05    Post subject: Reply with quote
Caching does not mean that stapling is on.
Look at the code James Blond provided.

For stapling you need
Code:
SSLUseStapling On
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Thu 07 Jan '16 14:30    Post subject: Reply with quote
HTTP Server Header: Apache/2.2.29 (Amazon)
using this apche version SSLUseStapling is not being configured thows some syntax error. I did some troubleshoot alot but couldnt find that syntax error.
i m workin gon ec2 instnace.
SSLUseStapling On
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
PostPosted: Thu 07 Jan '16 16:13    Post subject: Reply with quote
Sorry, Apache supports OCSP stapling in Apache HTTPD Server since version 2.3.3.
Back to top


Reply to topic   Topic: SSL handshake taking too long View previous topic :: View next topic
Post new topic   Forum Index -> Apache