We're running Tomcat 6 on an Ubuntu 2GB slice on slicehost.com
The JSP application fwiw is Open Clinica 3.1
I implemented SSL pretty much by the book as you can see:
<Connector port="8443"
scheme="https" SSLEnabled="true"
keystorePass="XXXXX" keystoreFile="XXXXX"
maxKeepAliveRequests="0"
sessionCacheSize="0" sessionTimeout="0" compression="on" maxThreads="500"
clientAuth="false" sslProtocol="TLS" />
The problem is that the Open Clinica Java application performs a large number of HTTP requests to build a page – using the Chrome developer tools, I can see between 70-80 requests for a typical page.
When you add SSL hand shaking to each request, the additional network latency just kills the application response time. FWIW – the client users are located in Israel, Europe and the US – so the option of running a local server next to the users is not really feasible. I am aware that since slicehose is in the US – the network latency to Israel is poor but I feel that since the HTTP performance of the server was acceptable to good – that we should be able to do better.
In an attempt to minimize the ssl handshakes – I defined unlimited sessionCacheSize and SessionTimeout as can be seen in the above connector definition
However, when I run ssldump on the client side, I still see lots of handshaking going on which seems to suggest that Tomcat is in effect ignoring these parameters
The server is not stressed – with 5 simultaneous users, there is about 100MB free memory and little to no swapping.
Best Answer
SSL handshaking on each resource is a telltale sign that HTTP's keep-alive functionality isn't working.
With keep-alive, a single SSL handshake is done for a TCP connection, then multiple resources can be requested via that single connection. Modern browsers like to open more than one TCP connection to avoid bottlenecks on slow-loading resources, so you'll still see multiple handshakes, but certainly fewer than with keep-alive off.
maxKeepAliveRequests="0"
is turning off keep-alive, I believe (I actually can't find documentation on what 0 does; 1 disables keep-alive and -1 sets no limit - I'm assuming 0 is also an effective disable).If you intended to disable keep-alive, I'd recommend reconsidering; if you intended to set it to unlimited, change that option to -1.