Slow TLS handshake

Ferreno · May 15, 2018, 8:24pm

We’re struggling to figure out whats wrong with our configuration. The TLS handshake appears to be taking 99% of the page load. Whilst the website is unoptimized, the delay appears to be caused by the certificate. It does not appear to be the local certificate store, and all users throughout the world, using any type of browser have this issue.

http://www.webpagetest.org/result/180515_RF_d7a09d54b47b25a3587dda07c5c87932/2/details/#waterfall_view_step1

The domain is www.snowcrows.com, we’re using Digital Ocean droplets using Ubuntu LAMP, version 16.04

Have we misconfigured the certificate?

_az · May 15, 2018, 9:03pm

After receiving the ClientHello message, the server is taking an exceptionally long time to respond with the ServerHello message. After that, the key exchange is pretty quick.

I would guess that something is up with the MTU of your server’s network interface, but it would take more information to be sure.

Some extra information could help:

Check if it is still slow if you connect over loopback interface (from the server):

time (echo "Q" | openssl s_client -debug -connect 127.0.0.1:443 -servername www.snowcrows.com)

Check MTU:

ip ad | grep mtu

Edit: Apparently Apache hitting the MaxClients limit can also manifest itself like this, try increasing that if it’s not already high.

rg305 · May 15, 2018, 11:08pm

I would also check CPU, disk, and memory utilization.
ByteCheck shows a much better percentage (~60% which is rather normal)
http://www.bytecheck.com/results?resource=https%3A%2F%2Fsnowcrows.com%2F

If all else fails, you could try switching the RSA 2048 bit cert for an ECDSA 256 bit cert.
To see how the CPU and ciphers perform on your system, try:
openssl speed

This test result is rather low:

openssl s_time -connect www.snowcrows.com:443
No CIPHER specified
Collecting connection statistics for 30 seconds
82 connections in 1.09s; 75.09 connections/user sec, bytes read 0
82 connections in 31 real seconds, 0 bytes read per connection

Now timing with session id reuse.
135 connections in 0.08s; 1730.76 connections/user sec, bytes read 0
135 connections in 31 real seconds, 0 bytes read per connection

Try this command locally, see if the numbers are higher:
openssl s_time -connect localhost:443

NOTE: some versions of openssl require specified cipher, if so, use your site preferred -cipher ECDHE-RSA-AES128-GCM-SHA256

Ferreno · May 16, 2018, 4:24pm

_az, Thanks a bunch! It appears to have indeed been MaxClients which was set to 256. We have increased this value and it seems to be fixed.

system · June 15, 2018, 4:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems of significant slowness on a website since passing in https with let's Encrypt Help	36	8172	January 6, 2018
Slow TLS Handshakes since 07 September 2022 Help	9	1838	December 24, 2022
Sudden increase in handshake duration Server	13	2809	March 28, 2019
Over 20 seconds to open site after renewing SSL certificate! Help	24	10135	September 3, 2017
Tomcat with Letencrypt response very slow Help	4	401	October 26, 2023

Slow TLS handshake

Related topics