We setup a new Rackspace to shift capacity from our an existing server we have that is overtaxed. During this process we setup a new SSL cert using the command line instead of WHM / cPanel tools that my boss typically uses to do that.
I followed this Ubuntu wiki article:
https://help.ubuntu.com/11.04/serverguide/C/certificates-and-security.html
My problem is that when I go to the domain:
It doesn't resolve very quick at all the first time. It seems to always resolve quickly with HTTP, but the first time I access it on a machine it seems to be slow at doing something with verifying the certificate.
How can I diagnose why this is being slow so I can fix it?
Thank You!
Run tcpdump on your client (or wireshark if using a windows client).
sudo tcpdump -ni eth0 -s0 -w /tmp/filename.pcap(Your interface name might be something other than eth0) You have access to the private key so you can probably easily decrypt the encrypted content with wireshark. Open the trace in wireshark, filter on your server's ip address by setting display filter to:ip.addr==a.b.c.d(where a.b.c.d is your server/site IP address), and look at the ssl/tls handshake times--you will not need to decrypt the payload to view what is going on during the handshake. You should be able to get some idea on how long the handshake is taking or if your slowdown is due to dns resolution.Subsequent requests are loading from browser cache and ssl session re-use might explain the faster response times. You might have success duplicating the slowness with every request if you use cURL from your client machine when running the trace.
You are using a 2048 bit cert and there was some research done that indicates that the ssl handshake takes 5 times longer than it did over 1024 bit certs. (Of course, this was done by a firm that sells load-balancers that perform ssl offload...)