Extra RTT on large certificates (again?)

Albert Casademont albertcasademont at gmail.com
Mon May 22 20:09:38 UTC 2017


Hi Maxim,

Thanks for the prompt response. Yes, we're using Openssl 1.1.0e at the
moment...That is unfortunate, what would you suggest doing? Report this to
the openssl devs? An extra RTT is quite painful.

Best,

Albert

On Mon, May 22, 2017 at 9:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote:
>
> > Hi,
> >
> > A few years ago a bug was reported on the extra RTT caused by large
> > certificates (https://trac.nginx.org/nginx/ticket/413). Doing some
> routine
> > testing I see that this behaviour is also present in at least nginx 1.12
> > and 1.13. Is it possible that the bug has reappeared? The threshold for
> the
> > extra RTT seems to be again at 4KB
> >
> > Attaching a Webpagetest with the tcpdump file, you can clearly see that
> the
> > server stops and waits for the extra ACK before sending the remainder of
> > the certificate (the long cert is just for testing, but the same happens
> > when sending the OCSP response if stapling is activated).
> >
> > wpt: https://www.webpagetest.org/result/170522_SA_1A3B
> > tcpdump:
> > https://www.webpagetest.org/getgzip.php?test=170522_SA_1A3B&file=1.cap
> (use
> > "(ip.addr eq 192.168.10.65 and ip.addr eq 37.187.169.10) and (tcp.port eq
> > 57109 and tcp.port eq 443)" filter in wireshark)
>
> Which OpenSSL version you are using?  It is quite possible that
> changes in OpenSSL broke this, as OpenSSL provides no official way
> to adjust handshake buffers.
>
> Quick testing suggest that it works properly with OpenSSL 1.0.2k,
> but not with OpenSSL 1.1.0d.  Looking into the code suggests that
> it is broken by this commit:
>
> https://github.com/openssl/openssl/commit/2e7dc7cd688
>
> And it looks like it is no longer possible to adjust handshake
> buffer size with OpenSSL 1.1.0 and up, unfortunately.
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170522/830467d4/attachment-0001.html>


More information about the nginx-devel mailing list