Hello! On Sat, Jun 28, 2014 at 01:14:16AM -0400, khav wrote:
> For my site , ssl seems to be slow even though i got A+ on sslabs > (implemented ocsp stapling, Forward Secrecy , spdy) Note that SSL Labs grades are about security, not about speed. > Here is the result from pingdom > > http://tools.pingdom.com/fpt/#!/cc2MfH/https://www.filterbypass.me/ > > > Notice the high connect time and high ssl negociation time The test is done from Netherlands, the site is in US, RTT seems to be about 170ms. So, a connect will take 170ms minimum (1*RTT), and an SSL handshake without a cached session will take 340ms minimum (2*RTT). And these are only network costs, not counting any computational costs for SSL. Pingdom numbers for the first pages as I see are as follows: SSL 168ms Connect 572ms Send 0ms Wait 304ms Receive 6ms They seems to be labeled incorrectly (1st number is actually connect time, while 2nd one is SSL handshake, not vice versa as they are labeled). Connect time seems pretty much normal, just 1 RTT, close to minimum possible. SSL handshake time is a bit more than it could be, about 3 RTT for some reason. Simple test here suggests that the cause is likely CPU usage on your server - response to ServerHello is noticeably delayed. One of the possible reasons is that you prefer ciphers with forward secrecy, and they are CPU hungry, especially DH ones: > ssl_ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; > ssl_prefer_server_ciphers on; You may try "openssl speed rsa2048" to find out how many handshakes per core your server can handle. Note that ECDH with 256 bit curve will result in about 2x slowdown compared to plain RSA, and DH with 2048 bit params - up to 10x slowdown. Additionally, make sure that: - you've properly tuned number of worker processes to match your server cores, see http://nginx.org/r/worker_processes; - number of handshakes per seconds isn't reaching numbers your server can handle, use "openssl speed" to find out. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
