Letsencrypt OCSP response times measured?

@josh @jsha @jcjones @kelunik @schoen @pde

From article at https://blog.digicert.com/ocsp-times-and-what-they-mean-for-you/ and https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ OCSP response times matter, so curious if Letsencrypt folks have or are actively measuring, benchmarking and monitoring their response times in response to increasing loads and demands ?

How does Letsencrypt’s OCSP response times fair against other CAs ? Just curious

And some other stats at http://uptime.netcraft.com/perf/reports/performance/OCSP different numbers if ordered by total time http://uptime.netcraft.com/perf/reports/performance/OCSP?orderby=avg_total

Pasted image853×818 55.3 KB

I believe LE said their are using Akamai for this ? And I believe Globalsign use Akamai too, so close ?

OCSP response times don’t matter that much once OCSP stapling is supported everywhere. Unfortunately, we didn’t have time to implement it for PHP’s streams in time for PHP 7.

indeed true.. just curious how LE OCSP performance stacks up with other CAs for non-stapled responses. i.e. pretty sure there's quite alot of Apache 2.2.x based https serving servers out there too.

Every server supporting it makes it not only faster for its users but also for all other LE sites, because the LE servers have less load then. Can’t give you any stats.

indeed it does… guess it’s important in LE client deployment where you alter server configs, that OCSP stapling is configured where available

hmmm if it’s that important, not sure if additional automated checks for working OCSP on LE deployed and auto reconfigured web servers would be a good idea ?

interesting finding from http://uptime.netcraft.com/perf/reports/performance/OCSP?orderby=avg_total and looking an individual CA’s ocsp stats pages the top 5 commercial CA’s some use Akamai as well but the faster Akamai ones are reporting server signatures as Nginx while slower Akamai ones are reporting Apache 2.2/Debian

nginx > apache

As of today our OCSP responder answers in 41ms average, 47ms median.

We definitely care a lot about performance characteristics of our OCSP responder, and we plan to continue monitoring it in the long run as load increases.

Of course, we also strongly encourage everyone who can enable OCSP Stapling to do so. It's a win on multiple levels!

sweet thanks @jsha for sharing that info 41-47ms is good

@jsha @jcjones how’s response times now with public beta operational ?

30ms median, 38ms mean.

looking good… @jsha

@jsha @schoen would deploying cloudflare’s dynamic tls record size patch on letsencrypt’s ocsp servers which are nginx based be of any benefit in terms of ocsp response times https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ ? Was beneficial for my nginx patched servers - benchmarks https://community.centminmod.com/posts/32120/

actual patch https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__dynamic_tls_records.patch

We use Nginx in our DC, but that is in turn fronted by Akamai, which we are not at liberty to patch.

@jsha update with letsencrypt included http://uptime.netcraft.com/perf/graph?site=ocsp.int-x3.letsencrypt.org&tn=&range=86400&sd=0&collector=all&sample=2#performanceReport

Pasted image957×512 33.3 KB

by avg response time

Pasted image940×480 15.9 KB