Five seconds is far too long for a (correctly configured) SSL negotiation and you are probably on-track to suspect slow processing of the CRL or OCSP bits of the certificate.
I'd suggest testing it out with "openssl s_client", with certificate validation on and off. Also it would be helpful if you posted the X.509 cert details. --Steve On Mon, Oct 31, 2011 at 11:25 AM, Mayo, Bill <[email protected]> wrote: > I am not much of an IIS guy (know enough to get by), and I have a request > from one of our developers to investigate why SSL is slow. What I can > confirm is that the initial connection to SSL takes several seconds (5 or > more), but after that it is fine. My research on the topic suggests that it > is normal for the initial connection to be relatively slow, but it seems > like it shouldn’t take as long as it does. The one thing I ran across that > I am not clear whether may be at issue is the certificate revocation > checks. The connections in question are certificates that are for internal > web access and are signed by our internal certification authority (domain > controller). Is there something I can do in regards to certificate > revocation checks to speed the process up? Any other suggestions? > > > > ~~~~~~~~~~ > > Bill Mayo > > Director of Infrastructure > > Pitt County MIS > > V:252-902-3831 F:252-830-6361 E:[email protected] > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
