Cannot establish the TLS connection using some networks in China

It takes a long time to establish the TLS connection and always fails when I using educational network in China ( the network for college students). But when I visit it via http using the same pc, same network, I can connect with it in several seconds. And, if I turn on the proxy, using the network in America instead, I will be able to visit the website via https quickly. So what should I do? I cannot use Let’s encrypt in China using educational network? Or how can I find the problems with my website. Thanks.

My domain is:https://www.flyzy2005.cn

I ran this command:

It produced this output:

My web server is (include version):Nginx/1.10.3

The operating system my web server runs on is (include version):Ubuntu 16.04

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Wordpress 4.9.2

Hi @flyzy2005,

I’m also able to load this site quickly from an Internet connection in the United States. I guess it is physically hosted in New Jersey, on the U.S. East Coast.

The Chinese Internet is known to interfere with connections to many sites outside of the country so it’s possible that your site is being intentionally slowed down or blocked (not necessarily because anyone is targeting you, but maybe, for example, because of other sites that are hosted at the same provider?). Blocking HTTPS connections is more likely than blocking HTTP connections because they are harder to monitor and control.

You could try some other tools to try to diagnose the problem in more detail. Do you have access to a Unix command line on a machine your educational network?

You could also ask the hosting provider to be sure that they’re not blocking incoming connections from particular networks (for example, for suspicion of being the origin of a lot of spam e-mails).

I tested a few key endpoints using websitepulse.com and I noticed that their site loads fine, but ocsp.int-x3.letsencrypt.org often, but not always, takes excessively long to respond from some locations in China, particularly Shanghai.

@flyzy2005 if you could enable OCSP Stapling on your server (or ask your provider to) it would probably reduce the issues you’re seeing.

But, not all clients support this so it would still be very helpful (for you and everyone visiting sites that use Let’s Encrypt in China) if you could help the LE team with information from your network vantage point.

1 Like

I’m testing his site using VPS in China and my home network (U.S Georgia).

The results are quite different,

VPS in China:
Total Load: 16.11s
www (https):2.6s — Initial Connection 1.51s, SSL 288ms. Stalled 1.51s

My Home PC:
Total Load: 4.26s
www (https): 705.13ms — Initial Connection 389.22ms, SSL 192.97ms. Stalled 389.51ms.

The trouble seems not (that much) related to TLS/SSL, but more to his server response to Chinese Users.

Yes. loading https takes way longer in China than load http (however, it’s taking more in initial response time rather than SSL)

This might due to cache, but you set cache ttl to 3s. So not a problem now.

Of course you can use LT in Educational Network. (You can actually make your website faster by using 阿里云 and use LT as SSL)

use debug mode:
Chrome, press F12 Network tab and no cache refresh. (shift+F5)
Firefox, Network tab in Developer Mode.
360, why so bother. lol

Good luck.

P.S.
My friends in ping.cat told me you can use BGP on vultr.


However i don’t know how to do it.

Good luck again.

Thanks,
Steven Zhu

Thank you for your reply.

I have no access to a Unix command on my educational network. But I think it is not due to blocking, since I can connect it quickly sometimes using the same network. I have no idea on diagnosing the problem since I have no experience on it. But when I cannot connect it, the messages on Chrome and Firefox both show me that “Establishing TLS handshakes…”

Thank you for your test and reply.

I will find out what is OCSP Stapling and have a try.

Thank you.

But when I used http to visit another website hosted on the same VPS, it could response quickly. So I suspected that it was caused by https. And of course, I have clear all the cache.

And now I find a particular educational network (using by one of my friend), I cannot establish https at all. Chorme always tells me that my website(flyzy2005.cn) maybe does not work now, but I can also get connect to that http website.

I also suspected that it may be caused by my VPS. But if I chose 阿里云, 备案 in China would be a problem. And compared with Vultr, the VPS with same size, price in aliyun is much higher - -

Anyway, thank you very much for you test and reply!

This is OCSP stapling.

然而你已经备案了

I was suspect the IP got blacklisted, but it’s not.(Or your site may not even load)

An advice,
Go find a CDN like cloudflare.com or su.baidu.com and try if there’s any problem connecting using their ssl.

P.S.

You friend isn’t using XP, right?

Thanks,
Steven Zhu

Also,

I suggest upgrading your Nginx (if possible).

Thanks,

Steven Zhu

Okay, I will try OSCP stapling and upgrade Nginx to see whether it will be better.

备案的话我换到阿里云是要重新备案的,备一次还不能通用,我去咨询过了。

总之谢谢你~

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.