Extra RTT on large certificates (again?)
Albert Casademont
albertcasademont at gmail.com
Mon May 22 20:34:11 UTC 2017
Seems like the openssl devs are aware of the issue and welcoming PRs, AFAIK
nothing's been done yet.
https://mta.openssl.org/pipermail/openssl-users/2016-November/004835.html
On Mon, May 22, 2017 at 10:09 PM, Albert Casademont <
albertcasademont at gmail.com> wrote:
> Hi Maxim,
>
> Thanks for the prompt response. Yes, we're using Openssl 1.1.0e at the
> moment...That is unfortunate, what would you suggest doing? Report this to
> the openssl devs? An extra RTT is quite painful.
>
> Best,
>
> Albert
>
> On Mon, May 22, 2017 at 9:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
>> Hello!
>>
>> On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote:
>>
>> > Hi,
>> >
>> > A few years ago a bug was reported on the extra RTT caused by large
>> > certificates (https://trac.nginx.org/nginx/ticket/413). Doing some
>> routine
>> > testing I see that this behaviour is also present in at least nginx 1.12
>> > and 1.13. Is it possible that the bug has reappeared? The threshold for
>> the
>> > extra RTT seems to be again at 4KB
>> >
>> > Attaching a Webpagetest with the tcpdump file, you can clearly see that
>> the
>> > server stops and waits for the extra ACK before sending the remainder of
>> > the certificate (the long cert is just for testing, but the same happens
>> > when sending the OCSP response if stapling is activated).
>> >
>> > wpt: https://www.webpagetest.org/result/170522_SA_1A3B
>> > tcpdump:
>> > https://www.webpagetest.org/getgzip.php?test=170522_SA_1A3B&file=1.cap
>> (use
>> > "(ip.addr eq 192.168.10.65 and ip.addr eq 37.187.169.10) and (tcp.port
>> eq
>> > 57109 and tcp.port eq 443)" filter in wireshark)
>>
>> Which OpenSSL version you are using? It is quite possible that
>> changes in OpenSSL broke this, as OpenSSL provides no official way
>> to adjust handshake buffers.
>>
>> Quick testing suggest that it works properly with OpenSSL 1.0.2k,
>> but not with OpenSSL 1.1.0d. Looking into the code suggests that
>> it is broken by this commit:
>>
>> https://github.com/openssl/openssl/commit/2e7dc7cd688
>>
>> And it looks like it is no longer possible to adjust handshake
>> buffer size with OpenSSL 1.1.0 and up, unfortunately.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170522/cfb71c1e/attachment.html>
More information about the nginx-devel
mailing list