Extra RTT on large certificates (again?)
Maxim Dounin
mdounin at mdounin.ru
Tue May 23 17:56:11 UTC 2017
Hello!
On Tue, May 23, 2017 at 06:44:27PM +0200, Albert Casademont wrote:
> Hi Maxim,
>
> Yes, as we were already compiling our own nginx we apply a patch in openssl
> before compilation increasing the buffer size to 5120 bytes as a workaround.
>
> As for the patch, we already had "tcp_nodelay on" set in our http {} config
> and we kept seeing the extra RTT, is this a different setting or I am
> missing something?
Normally nginx doesn't try to set TCP_NODELAY unless needed, even
with "tcp_nodelay on" (which is the default, BTW). Usually
it is set when a connection goes to keepalive state.
With the patch TCP_NODELAY will be set before SSL handshake, and
so there will be no extra RTT if the handshake buffer used by
OpenSSL is not enough.
> I believe the optimal solution would be that openssl exposed an API to
> dynamically adjust the buffer size, I'll try to work on that...
Sure.
The TCP_NODELAY patch may make sense regardless though, it will
address the problem for old OpenSSL versions and will also protect
from other similar issues (e.g., we've seen NewSessionTicket
messages sent in separate writes when testing TLSv1.3 with OpenSSL
master branch).
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list