Extra RTT on large certificates (again?)
albertcasademont at gmail.com
Mon May 22 20:34:11 UTC 2017
Seems like the openssl devs are aware of the issue and welcoming PRs, AFAIK
nothing's been done yet.
On Mon, May 22, 2017 at 10:09 PM, Albert Casademont <
albertcasademont at gmail.com> wrote:
> Hi Maxim,
> Thanks for the prompt response. Yes, we're using Openssl 1.1.0e at the
> moment...That is unfortunate, what would you suggest doing? Report this to
> the openssl devs? An extra RTT is quite painful.
> On Mon, May 22, 2017 at 9:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>> On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote:
>> > Hi,
>> > A few years ago a bug was reported on the extra RTT caused by large
>> > certificates (https://trac.nginx.org/nginx/ticket/413). Doing some
>> > testing I see that this behaviour is also present in at least nginx 1.12
>> > and 1.13. Is it possible that the bug has reappeared? The threshold for
>> > extra RTT seems to be again at 4KB
>> > Attaching a Webpagetest with the tcpdump file, you can clearly see that
>> > server stops and waits for the extra ACK before sending the remainder of
>> > the certificate (the long cert is just for testing, but the same happens
>> > when sending the OCSP response if stapling is activated).
>> > wpt: https://www.webpagetest.org/result/170522_SA_1A3B
>> > tcpdump:
>> > https://www.webpagetest.org/getgzip.php?test=170522_SA_1A3B&file=1.cap
>> > "(ip.addr eq 192.168.10.65 and ip.addr eq 22.214.171.124) and (tcp.port
>> > 57109 and tcp.port eq 443)" filter in wireshark)
>> Which OpenSSL version you are using? It is quite possible that
>> changes in OpenSSL broke this, as OpenSSL provides no official way
>> to adjust handshake buffers.
>> Quick testing suggest that it works properly with OpenSSL 1.0.2k,
>> but not with OpenSSL 1.1.0d. Looking into the code suggests that
>> it is broken by this commit:
>> And it looks like it is no longer possible to adjust handshake
>> buffer size with OpenSSL 1.1.0 and up, unfortunately.
>> Maxim Dounin
>> nginx-devel mailing list
>> nginx-devel at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx-devel