Want to subscribe to topics you're interested in?
Become a Member

Sysadmin Any way to reduce/accelerate TLS handshake time?

Discussion in 'System Administration' started by Troy, Oct 9, 2016.

  1. Troy

    Troy Premium Member Premium Member

    14
    6
    3
    Sep 14, 2016
    Ratings:
    +6
    Local Time:
    7:31 PM
    Im noticing a disappointing trend in that the TLS handshake time for connections seems pretty excessive, in some cases taking longer than the connection+response time from some geos.

    Any way to reduce this?

    [​IMG]
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    It's a function of physical distance between servers (round trip times) and how fast both source and destination servers are for processing TLS handshakes. As well as how TLS/SSL is configured on both source and destination servers etc.

    So partially dependent on those online test servers themselves too. Which testing tool is that from ?

    Tried Web Performance Test - 14+ Global Test Locations ?

    Also try webpagetest.org
     
    Last edited: Oct 9, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
  4. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    More info Networking 101: Transport Layer Security (TLS) - High PerformanceBrowser Networking (O'Reilly)

     
  5. Troy

    Troy Premium Member Premium Member

    14
    6
    3
    Sep 14, 2016
    Ratings:
    +6
    Local Time:
    7:31 PM
    that test was from updown.io – Website monitoring, simple and inexpensive

    George, on a default centminmod install, do the following features get enabled in nginx?
    - persistent connections
    - TLS resumption
    - TLS false start
    - HSTS
    - ocsp stapling

    i was reviewing the info at Is TLS Fast Yet? , have found some fairly interesting things on improving TLS performance. looks like TLS 1.3 will deliver huge improvements in TLS performance.
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    centmin mod HSTS is supported if you setup HTTPS sites via centmin mod menu option 2, 22, /usr/bin/nv or in 123.09beta01 addons/acmetool.sh but you need to enable it manually understanding what it can do and it's negatives outlined under Enabling HSTS for SSL section at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS otherwise you DDOS hit your own web site if you enable HSTS but later disable HSTS or HTTPS.

    persistent connections and keepalive is enabled

    TLS resumption enabled via nginx tickets Module ngx_http_ssl_module but it's recommended to turn them off but they're enabled by default

    TLS false start have both client/web browser and server side so browser needs to support HTTPS via NPN or ALPN protocol and server side needs to support Forward Secrey. Which means online testing tools may not support it on their end - which comes back to configuration of testing servers for HTTPS/SSL

    Some of these can be tested via dev.ssllab.com tests. FS tag at end = Forward Secrecy

    upload_2016-10-9_14-7-47.png

    upload_2016-10-9_14-0-49.png

    More on Forward Secrecy SSL Labs: Deploying Forward Secrecy – Network Security Blog | Qualys, Inc. which comes back to what ssl ciphers are setup on nginx server end. Centmin Mod nginx vhost HTTPS/SSL generated vhosts are configured properly for this. And if you manually add HTTPS vhosts via Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

    ocsp you need to enable for SSL HTTPS sites you set up manually as outlined under Enabling OCSP stapling for SSL at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS or auto enabled with 123.09beta01 addons/acmetool.sh live obtained letsencrypt ssl certificates (not for staging test ssl certs or self-signed certs which do not support ocsp stapling)
     
    Last edited: Oct 10, 2016
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes it will something to look forward to. FYI, if you're behind Cloudflare's HTTPS/SSL, they already have implemented TLS 1.3 if the web client end supports it :)
     
  8. Troy

    Troy Premium Member Premium Member

    14
    6
    3
    Sep 14, 2016
    Ratings:
    +6
    Local Time:
    7:31 PM
    excellent responses George, truly appreciate the level of detail!
     
    • Like Like x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
  10. Troy

    Troy Premium Member Premium Member

    14
    6
    3
    Sep 14, 2016
    Ratings:
    +6
    Local Time:
    7:31 PM
    i tested a handful of site monitoring services - ended up disabling all except site24x7 (i like their root cause analysis emails with trace routes, pings, etc included) and updown.io.
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    30,836
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    Playing with updown.io :)

    upload_2016-12-28_13-59-5.png
     
    • Informative Informative x 1