Extra RTT on large certificates (again?)
Maxim Dounin
mdounin at mdounin.ru
Mon May 22 19:27:48 UTC 2017
Hello!
On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote:
> Hi,
>
> A few years ago a bug was reported on the extra RTT caused by large
> certificates (https://trac.nginx.org/nginx/ticket/413). Doing some routine
> testing I see that this behaviour is also present in at least nginx 1.12
> and 1.13. Is it possible that the bug has reappeared? The threshold for the
> extra RTT seems to be again at 4KB
>
> Attaching a Webpagetest with the tcpdump file, you can clearly see that the
> server stops and waits for the extra ACK before sending the remainder of
> the certificate (the long cert is just for testing, but the same happens
> when sending the OCSP response if stapling is activated).
>
> wpt: https://www.webpagetest.org/result/170522_SA_1A3B
> tcpdump:
> https://www.webpagetest.org/getgzip.php?test=170522_SA_1A3B&file=1.cap (use
> "(ip.addr eq 192.168.10.65 and ip.addr eq 37.187.169.10) and (tcp.port eq
> 57109 and tcp.port eq 443)" filter in wireshark)
Which OpenSSL version you are using? It is quite possible that
changes in OpenSSL broke this, as OpenSSL provides no official way
to adjust handshake buffers.
Quick testing suggest that it works properly with OpenSSL 1.0.2k,
but not with OpenSSL 1.1.0d. Looking into the code suggests that
it is broken by this commit:
https://github.com/openssl/openssl/commit/2e7dc7cd688
And it looks like it is no longer possible to adjust handshake
buffer size with OpenSSL 1.1.0 and up, unfortunately.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list