Letsencrypt OCSP response times measured?


#1

@josh @jsha @jcjones @kelunik @schoen @pde

From article at https://blog.digicert.com/ocsp-times-and-what-they-mean-for-you/ and https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ OCSP response times matter, so curious if Letsencrypt folks have or are actively measuring, benchmarking and monitoring their response times in response to increasing loads and demands ?

How does Letsencrypt’s OCSP response times fair against other CAs ? Just curious :slight_smile:

And some other stats at http://uptime.netcraft.com/perf/reports/performance/OCSP different numbers if ordered by total time http://uptime.netcraft.com/perf/reports/performance/OCSP?orderby=avg_total

I believe LE said their are using Akamai for this ? And I believe Globalsign use Akamai too, so close ?


OCSP Requests To identrust.com Slow
OCSP Requests To identrust.com Slow
#2

OCSP response times don’t matter that much once OCSP stapling is supported everywhere. Unfortunately, we didn’t have time to implement it for PHP’s streams in time for PHP 7. :worried:


#3

indeed true… just curious how LE OCSP performance stacks up with other CAs for non-stapled responses. i.e. pretty sure there’s quite alot of Apache 2.2.x based https serving servers out there too.


#4

Every server supporting it makes it not only faster for its users but also for all other LE sites, because the LE servers have less load then. Can’t give you any stats. :wink:


#5

indeed it does… guess it’s important in LE client deployment where you alter server configs, that OCSP stapling is configured where available :smiley:

hmmm if it’s that important, not sure if additional automated checks for working OCSP on LE deployed and auto reconfigured web servers would be a good idea ?


#6

interesting finding from http://uptime.netcraft.com/perf/reports/performance/OCSP?orderby=avg_total and looking an individual CA’s ocsp stats pages the top 5 commercial CA’s some use Akamai as well but the faster Akamai ones are reporting server signatures as Nginx while slower Akamai ones are reporting Apache 2.2/Debian :slight_smile:

nginx > apache :smiley:


#7

As of today our OCSP responder answers in 41ms average, 47ms median.

We definitely care a lot about performance characteristics of our OCSP responder, and we plan to continue monitoring it in the long run as load increases.

Of course, we also strongly encourage everyone who can enable OCSP Stapling to do so. It’s a win on multiple levels!


#8

sweet thanks @jsha for sharing that info 41-47ms is good :slight_smile:


#9

@jsha @jcjones how’s response times now with public beta operational ? :slight_smile:


#10

30ms median, 38ms mean.


#11

looking good… @jsha :slight_smile:


#12

@jsha @schoen would deploying cloudflare’s dynamic tls record size patch on letsencrypt’s ocsp servers which are nginx based be of any benefit in terms of ocsp response times https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ ? Was beneficial for my nginx patched servers - benchmarks https://community.centminmod.com/posts/32120/ :slight_smile:

actual patch https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__dynamic_tls_records.patch


#13

We use Nginx in our DC, but that is in turn fronted by Akamai, which we are not at liberty to patch. :slight_smile:


#14

@jsha update with letsencrypt included http://uptime.netcraft.com/perf/graph?site=ocsp.int-x3.letsencrypt.org&tn=&range=86400&sd=0&collector=all&sample=2#performanceReport

by avg response time