Extra RTT on large certificates (again?)

Maxim Dounin mdounin at mdounin.ru
Mon May 22 19:27:48 UTC 2017


On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote:

> Hi,
> A few years ago a bug was reported on the extra RTT caused by large
> certificates (https://trac.nginx.org/nginx/ticket/413). Doing some routine
> testing I see that this behaviour is also present in at least nginx 1.12
> and 1.13. Is it possible that the bug has reappeared? The threshold for the
> extra RTT seems to be again at 4KB
> Attaching a Webpagetest with the tcpdump file, you can clearly see that the
> server stops and waits for the extra ACK before sending the remainder of
> the certificate (the long cert is just for testing, but the same happens
> when sending the OCSP response if stapling is activated).
> wpt: https://www.webpagetest.org/result/170522_SA_1A3B
> tcpdump:
> https://www.webpagetest.org/getgzip.php?test=170522_SA_1A3B&file=1.cap (use
> "(ip.addr eq and ip.addr eq and (tcp.port eq
> 57109 and tcp.port eq 443)" filter in wireshark)

Which OpenSSL version you are using?  It is quite possible that 
changes in OpenSSL broke this, as OpenSSL provides no official way 
to adjust handshake buffers.

Quick testing suggest that it works properly with OpenSSL 1.0.2k, 
but not with OpenSSL 1.1.0d.  Looking into the code suggests that 
it is broken by this commit:


And it looks like it is no longer possible to adjust handshake 
buffer size with OpenSSL 1.1.0 and up, unfortunately.

Maxim Dounin

More information about the nginx-devel mailing list