Multiple SSL enabled hosts causes nginx to reload slowly

Maxim Dounin mdounin at mdounin.ru
Thu May 19 14:42:39 MSD 2011


Hello!

On Wed, May 18, 2011 at 08:40:15PM -0400, runesoerensen wrote:

> Hi,
> 
> I've set up a ssl_certificate and ssl_certificate_key directives on the
> http level of my nginx configuration. The problem I'm facing is that
> starting/reloading nginx is getting slower and slower as more hosts
> (server directives) are added. The server has roughly 1000 SSL-enabled
> hosts that inherits the ssl certificate directives.
> 
> I know nginx verifies the certificate when loading it, so I'm wondering
> if nginx checks the certificate each time an SSL enabled host inherits
> the shared certificate? If so, shouldn't it only check the certificate
> once? According to
> http://nginx.org/en/docs/http/configuring_https_servers.html it should
> cause all hosts to inherit a single memory footprint, but this doesn't
> seem to be the case.
> 
> If this is a bug in nginx it may be an idea to completely disable
> certificate verification if possible?
> 
> Any advice is highly appreciated.

Quick look suggests that time is taken mostly here in 
ngx_http_ssl_module.c:

    /* a temporary 512-bit RSA key is required for export versions of MSIE */
    if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
        return NGX_CONF_ERROR;
    }

As export versions of MSIE are rare and hardly supported nowadays 
anyway, you may want to just nuke this code as a workaround.

I'll take a look at this further as time permits.

Maxim Dounin



More information about the nginx mailing list