Welcome! Log In Create A New Profile

Advanced

Re: SSL slow on nginx

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
June 30, 2014 06:42PM
Hello!

On Sat, Jun 28, 2014 at 01:14:16AM -0400, khav wrote:

> For my site , ssl seems to be slow even though i got A+ on sslabs
> (implemented ocsp stapling, Forward Secrecy , spdy)

Note that SSL Labs grades are about security, not about speed.

> Here is the result from pingdom
>
> http://tools.pingdom.com/fpt/#!/cc2MfH/https://www.filterbypass.me/
>
>
> Notice the high connect time and high ssl negociation time

The test is done from Netherlands, the site is in US, RTT seems to
be about 170ms. So, a connect will take 170ms minimum (1*RTT), and an SSL
handshake without a cached session will take 340ms minimum
(2*RTT). And these are only network costs, not counting any
computational costs for SSL.

Pingdom numbers for the first pages as I see are as follows:

SSL 168ms
Connect 572ms
Send 0ms
Wait 304ms
Receive 6ms

They seems to be labeled incorrectly (1st number is
actually connect time, while 2nd one is SSL handshake, not vice
versa as they are labeled). Connect time seems pretty much
normal, just 1 RTT, close to minimum possible. SSL handshake
time is a bit more than it could be, about 3 RTT for some reason.
Simple test here suggests that the cause is likely CPU usage on your
server - response to ServerHello is noticeably delayed.

One of the possible reasons is that you prefer ciphers with
forward secrecy, and they are CPU hungry, especially DH ones:

> ssl_ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
> ssl_prefer_server_ciphers on;

You may try "openssl speed rsa2048" to find out how many
handshakes per core your server can handle. Note that ECDH with
256 bit curve will result in about 2x slowdown compared to plain
RSA, and DH with 2048 bit params - up to 10x slowdown.

Additionally, make sure that:

- you've properly tuned number of worker processes to match your
server cores, see http://nginx.org/r/worker_processes;

- number of handshakes per seconds isn't reaching numbers your
server can handle, use "openssl speed" to find out.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

SSL slow on nginx

khav June 28, 2014 01:14AM

Re: SSL slow on nginx

GreenGecko June 29, 2014 03:08AM

Re: SSL slow on nginx

Maxim Dounin June 30, 2014 06:42PM

Re: SSL slow on nginx

khav July 01, 2014 03:10AM

Re: SSL slow on nginx

Maxim Dounin July 01, 2014 09:52AM

Re: SSL slow on nginx

khav July 01, 2014 11:00AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 110
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready