I saw this question several times asked in this website and others, but any of them provided me a valid solution for my problem.
I have an ubuntu server 12.04 running apache 2.2.22. http traffic it's working good but SSL traffic is being reaaally slow. While loading a website I can see images loading while in the http version they all almost immediately. I run some tests:
HTTP:
ab -n 1000 -c 250 http://IP/test.jpeg
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking IP (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: Apache/2.2.22
Server Hostname: IP
Server Port: 80
Document Path: /test.jpeg
Document Length: 19558 bytes
Concurrency Level: 250
Time taken for tests: 11.104 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 19842000 bytes
HTML transferred: 19558000 bytes
Requests per second: 90.06 [#/sec] (mean)
Time per request: 2775.995 [ms] (mean)
Time per request: 11.104 [ms] (mean, across all concurrent requests)
Transfer rate: 1745.05 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 254 549 872.4 270 3289
Processing: 518 2046 1584.9 1250 8370
Waiting: 258 1596 1532.1 724 7214
Total: 779 2595 2044.1 1525 10467
Percentage of the requests served within a certain time (ms)
50% 1525
66% 2192
75% 3424
80% 4248
90% 6013
95% 7175
98% 7723
99% 10189
100% 10467 (longest request)
HTTPS:
ab -n 1000 -c 250 https://IP/test.jpeg
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking IP (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: Apache/2.2.22
Server Hostname: IP
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
Document Path: /test.jpeg
Document Length: 19558 bytes
Concurrency Level: 250
Time taken for tests: 62.911 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 19842000 bytes
HTML transferred: 19558000 bytes
Requests per second: 15.90 [#/sec] (mean)
Time per request: 15727.734 [ms] (mean)
Time per request: 62.911 [ms] (mean, across all concurrent requests)
Transfer rate: 308.01 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 1225 8408 3478.8 8733 14994
Processing: 957 6470 3693.6 5922 13997
Waiting: 258 2422 1720.7 1711 8113
Total: 10486 14878 4730.7 12594 27169
Percentage of the requests served within a certain time (ms)
50% 12594
66% 14805
75% 14828
80% 21609
90% 22990
95% 23136
98% 27115
99% 27125
100% 27169 (longest request)
HTTPS with keep alive:
ab -k -n 1000 -c 250 https://IP/test.jpeg
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking IP (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: Apache/2.2.22
Server Hostname: IP
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
Document Path: /test.jpeg
Document Length: 19558 bytes
Concurrency Level: 250
Time taken for tests: 13.565 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Keep-Alive requests: 1000
Total transferred: 19852150 bytes
HTML transferred: 19558000 bytes
Requests per second: 73.72 [#/sec] (mean)
Time per request: 3391.342 [ms] (mean)
Time per request: 13.565 [ms] (mean, across all concurrent requests)
Transfer rate: 1429.14 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1051 2562.0 0 11662
Processing: 258 903 667.8 556 2710
Waiting: 254 466 460.8 268 1840
Total: 258 1954 2982.9 565 12518
Percentage of the requests served within a certain time (ms)
50% 565
66% 830
75% 1096
80% 1361
90% 8746
95% 8753
98% 9244
99% 9595
100% 12518 (longest request)
I can understand https can be a little bit slower than http and that should be mitigated with the keepalive but I still dont understand the big diference and why I can actually see it loading incredibly slow. I think is some misconfiguration I have done because in the order server I installed https is not that slow by far.
Other information that could be useful is:
cat mods-available/ssl.conf |grep SSLRandomSeed
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 1024
This is how I created my certificates:
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key
This is the config for default-ssl:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Any ideas?
UPDATE:
Is being that slow only in chrome so far… Firefox and Safari are OK, that can definitely give a hint, I am going to investigate this.
Best Answer
You are using /dev/urandom for your random seed, so it won't be an entropy pool blocking issue.
If you notice the entire stream is slow (and not just slow to start, but slow rate) only on https, you should check whether your server is adequately provisioned. Encryption and signing can be rather CPU-intensive; check
top
(and your load average). If you have an unreasonably small amount of CPU or RAM this would make sense.Also note: the certificate isn't used for the actual encryption, only for the key exchange and identity verification. A random session key is generated and used for encryption according to the capabilities and preferences negotiated between the client and server at the start of the connection. As a test, you could try putting something like disabling all but low-security ciphers in your cipherspec.