Slow initial connection on https connects

Nov 22
2017

Our most busy server sometimes showed long connection times after we changed the default protocol from http to https.

This server is running Apache 2.4.10 on Debian Wheezy, and the slow connection times manifested themselves after periods of higher than normal load, but far from being critical.

I have tried a lot of different things, like incrementing the number of Apache processes, limiting the number of concurrent outgoing mails (the server sends about 20.000 emails every day), and also adding more memory to the system – but nothing helped.

Unfortunately, http/2 is not available with this Apache version, and I don’t like to backport from a newer Debian version. The same is true for ALPN and NPN – both not available in the installed Apache version.

The solution was to enable OCSP stapling:

SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Now the maximum connection times are down to about 5 seconds in the most busy periods, instead of reaching 20 seconds and more. In times of normal load the connection times are below 0.1 seconds.

As test I can recommend the SSLLabs test by Qualys: https://www.ssllabs.com/ssltest/analyze.html

Comments are closed.