Make SSL faster on Linux CentOS with Apache 2.4 OpenSSL 1.0

北慕城南 提交于 2020-01-24 04:21:04

问题


colleagues!

Well, I am with a huge problem with the speed of SSL Authentication. Since I move my website to SSL, the GoogleBot reduce the indexing of my website, because the SSL Negotiation is with below value I got with WebPageTest.org:

URL: https://www.musiconline.com.br/jorge-e-mateus/alcapao/

Host: www.musiconline.com.br

Error/Status Code: 200

Client Port: 0

Start Offset: 0.735 s

DNS Lookup: 34 ms

Initial Connection: 170 ms

SSL Negotiation: 531 ms

Time to First Byte: 311 ms

Content Download: 178 ms

Bytes In (downloaded): 13.2 KB

Bytes Out (uploaded): 0.4 KB

Look, the "SSL Negotiation" is in 531ms, a big value.

Someone know how can I solve this issue?


I verified the mod_spdy, however, I can't install because the follow message in my Linux CentOS 6, Apache 2.4:

root@server1 [/home/login/src]# rpm -U mod-spdy-*.rpm

warning: mod-spdy-beta_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

error: Failed dependencies:

    httpd >= 2.2.4 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

    mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

root@server1 [/home/login/src]# httpd -v

Server version: Apache/2.4.12 (Unix)

Server built: Mar 21 2015 10:58:04

Cpanel::Easy::Apache v3.28.4 rev9999


root@server1 [/home/molbr/src]# uname -a

Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


Thanks for assistance.


回答1:


Initial Connection: 170 ms

SSL Negotiation: 531 ms

Looking at a packet capture I can see that after the initial TCP handshake the client starts the Handshake and it then it takes a long time for the server to send all necessary data back (ServerHello, Certificates...). These data need 5 packets and due to various TCP magic and OS tuning the last packet will only be send once it got the acknowledgements for previous packets. In detail this TCP magic might probably be TCP slow start with a fixed initial congestion windows of 4 with the CentOS version you use (see https://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/).

What can you do: fix you certificate chain. If you look at the SSLLabs report you will see "Chain issues: Contains anchor" which means that you send the root certificate even though the root certificate will be ignored by the client and instead a trusted CA built into the client is used (trust chain must be built from local trust!). If you fix your configuration by removing this root certificate the data sent by the server will be shorter and you will not run into the slow-start problem.



来源:https://stackoverflow.com/questions/29183874/make-ssl-faster-on-linux-centos-with-apache-2-4-openssl-1-0

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!