Extra RTT on large certificates (again?)

Maxim Dounin mdounin at mdounin.ru
Tue May 23 17:56:11 UTC 2017


On Tue, May 23, 2017 at 06:44:27PM +0200, Albert Casademont wrote:

> Hi Maxim,
> Yes, as we were already compiling our own nginx we apply a patch in openssl
> before compilation increasing the buffer size to 5120 bytes as a workaround.
> As for the patch, we already had "tcp_nodelay on" set in our http {} config
> and we kept seeing the extra RTT, is this a different setting or I am
> missing something?

Normally nginx doesn't try to set TCP_NODELAY unless needed, even 
with "tcp_nodelay on" (which is the default, BTW).  Usually 
it is set when a connection goes to keepalive state.

With the patch TCP_NODELAY will be set before SSL handshake, and 
so there will be no extra RTT if the handshake buffer used by 
OpenSSL is not enough.

> I believe the optimal solution would be that openssl exposed an API to
> dynamically adjust the buffer size, I'll try to work on that...


The TCP_NODELAY patch may make sense regardless though, it will 
address the problem for old OpenSSL versions and will also protect 
from other similar issues (e.g., we've seen NewSessionTicket 
messages sent in separate writes when testing TLSv1.3 with OpenSSL 
master branch).

Maxim Dounin

More information about the nginx-devel mailing list