Slow TLS handshake

We’re struggling to figure out whats wrong with our configuration. The TLS handshake appears to be taking 99% of the page load. Whilst the website is unoptimized, the delay appears to be caused by the certificate. It does not appear to be the local certificate store, and all users throughout the world, using any type of browser have this issue.

The domain is, we’re using Digital Ocean droplets using Ubuntu LAMP, version 16.04

Have we misconfigured the certificate?

After receiving the ClientHello message, the server is taking an exceptionally long time to respond with the ServerHello message. After that, the key exchange is pretty quick.

I would guess that something is up with the MTU of your server’s network interface, but it would take more information to be sure.

Some extra information could help:

Check if it is still slow if you connect over loopback interface (from the server):

time (echo "Q" | openssl s_client -debug -connect -servername

Check MTU:

ip ad | grep mtu

Edit: Apparently Apache hitting the MaxClients limit can also manifest itself like this, try increasing that if it’s not already high.


I would also check CPU, disk, and memory utilization.
ByteCheck shows a much better percentage (~60% which is rather normal)

If all else fails, you could try switching the RSA 2048 bit cert for an ECDSA 256 bit cert.
To see how the CPU and ciphers perform on your system, try:
openssl speed

This test result is rather low:

openssl s_time -connect
No CIPHER specified
Collecting connection statistics for 30 seconds
82 connections in 1.09s; 75.09 connections/user sec, bytes read 0
82 connections in 31 real seconds, 0 bytes read per connection

Now timing with session id reuse.
135 connections in 0.08s; 1730.76 connections/user sec, bytes read 0
135 connections in 31 real seconds, 0 bytes read per connection

Try this command locally, see if the numbers are higher:
openssl s_time -connect localhost:443

NOTE: some versions of openssl require specified cipher, if so, use your site preferred -cipher ECDHE-RSA-AES128-GCM-SHA256

_az, Thanks a bunch! It appears to have indeed been MaxClients which was set to 256. We have increased this value and it seems to be fixed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.