Home / server / Questions / 693534
Accepted
clarkk
Asked: 2015-05-22 01:35:07 +0800 CST

slow SSL apache server

  • 772

I have a problem with a slow Apache server with SSL 256bit cert

ab -n 500 https://example.com/
Time per request 29 ms

ab -n 500 http://example.com/
Time per request 10 ms

52 Bytes is sent in both requests and the tests are done from a server in the same datacenter

conf

SSLEngine on
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM

Is it normal that SSL is 3 times slower than plain HTTP requests?

apache-2.2

5 Answers

  1. Best Answer

    How did you benchmark your server? What application is running behind your HTTPS server? What CPU does your server use? How you can see, your question lack many important details...

    Anyway, SSL surely is somewhat slower then "pure" HTTP: public key cryptography is way slower then symmetric-key one, and this is the very reason why pubkey is only used to exchange a private, symmetric key and the channel the switches to symmetric key crypto.

    • 7

  2. HTTPS is slower because it has more data to exchange (the X.509 certificate from the server), it has a secure data connection to set up, ...

    ab can give 'Connect' time and that's where you'll see your timing difference. TLS setup take more time than no setup.

    • 2

  3. You need to realise the difference between what ab does and what a browser does. (I'm not going to answer what ab does, because I'm not familiar enough with it).

    For example:

    1. Is ab using TLS session re-use? A browser would, and would perform much faster because of it (for subsequent requests). You can verify this with wireshark (perhaps https://ask.wireshark.org/questions/9007/ssl-session-reuse is useful)
    2. Is ab using ciphers that are known to be slow (you can see what cipher gets negotiated in the ssl_request_log)
    3. Are you supporting HTTP keep-alive on the HTTPS connection? You ought to, even just for long enough to pull all the assets on a page. This will really cut down on the number of SSL/TLS requests made to the server.
    4. Do you have cache-friendly content on your site (especially for the browsers cache) -- are you making use of response headers such as Cache-Control: public, max-age=3600, s-max-age=3600.

    If you concentrate on those, then you can easily make a HTTPS-only site run nice and quickly. This is what I do for a video-streaming site that is (effectively) HTTPS only, and I have not had to worry about SSL connection times.

    • 2

  4. Yes, it is normal for HTTPS to be approximately 3 times slower at establishing connection than HTTP. Here is nice read explaining why.

    • 0

  5. Reasons for slow down of website:

    • SSL certificates carry several intermediate certificates that increase data volume during handshake.

    • OCSP and CRL performance is also not corrected as a website takes 1/3 of a second in replying to an OCSP request and establishing a connection.

    Recommendations for fast HTTPS connections:

    • The utilization of CPU resources can be mitigated by the compacting of textual content, or upgrade the current process to handle the encryption task.

    • You need to make sure that everything on the page is retrieved over HTTPS.

    • Take help of SPDY - an open source network protocol of Google that minimize the web page loading time.

    • On Certificate authority side, CAs can reduce OCSP and CRL response time from 300ms to 100ms (milliseconds).

    • The CA can reduce the intermediate chain size in SSL certificates as it consumes additional bytes and time.

    • 0