I'd also take a look at what is gping on using fiddler and/or netmon if openssl isn't clear.
Sent from my HTC Tilt™ 2, a Windows® phone from AT&T -----Original Message----- From: Mayo, Bill <[email protected]> Sent: Monday, October 31, 2011 9:48 AM To: NT System Admin Issues <[email protected]> Subject: RE: Speed up internal SSL? Thanks for the response. I was not familiar with OpenSSL, but I have gotten that installed and am trying to do as you suggest. I was able to connect to the server using "openssl s_client -connect server.name:443" and see that it connected very quickly. Beyond that, I am having trouble figuring out the proper command(s) to do the validation on/off as you said. I see a "verify" option, but that looks like something that has to be run against an exported certificate, correct? Bill -----Original Message----- From: Steve Kradel [mailto:[email protected]] Sent: Monday, October 31, 2011 11:42 AM To: NT System Admin Issues Subject: Re: Speed up internal SSL? Five seconds is far too long for a (correctly configured) SSL negotiation and you are probably on-track to suspect slow processing of the CRL or OCSP bits of the certificate. I'd suggest testing it out with "openssl s_client", with certificate validation on and off. Also it would be helpful if you posted the X.509 cert details. --Steve On Mon, Oct 31, 2011 at 11:25 AM, Mayo, Bill <[email protected]> wrote: > I am not much of an IIS guy (know enough to get by), and I have a > request from one of our developers to investigate why SSL is slow. > What I can confirm is that the initial connection to SSL takes several > seconds (5 or more), but after that it is fine. My research on the > topic suggests that it is normal for the initial connection to be > relatively slow, but it seems like it shouldn't take as long as it > does. The one thing I ran across that I am not clear whether may be > at issue is the certificate revocation checks. The connections in > question are certificates that are for internal web access and are > signed by our internal certification authority (domain controller). > Is there something I can do in regards to certificate revocation checks to > speed the process up? Any other suggestions? > > > > ~~~~~~~~~~ > > Bill Mayo ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
