Extra RTT on large certificates (again?)

Albert Casademont albertcasademont at gmail.com
Tue May 23 21:21:32 UTC 2017


Thanks, makes perfect sense :)

On Tue, May 23, 2017 at 7:56 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Tue, May 23, 2017 at 06:44:27PM +0200, Albert Casademont wrote:
>
> > Hi Maxim,
> >
> > Yes, as we were already compiling our own nginx we apply a patch in
> openssl
> > before compilation increasing the buffer size to 5120 bytes as a
> workaround.
> >
> > As for the patch, we already had "tcp_nodelay on" set in our http {}
> config
> > and we kept seeing the extra RTT, is this a different setting or I am
> > missing something?
>
> Normally nginx doesn't try to set TCP_NODELAY unless needed, even
> with "tcp_nodelay on" (which is the default, BTW).  Usually
> it is set when a connection goes to keepalive state.
>
> With the patch TCP_NODELAY will be set before SSL handshake, and
> so there will be no extra RTT if the handshake buffer used by
> OpenSSL is not enough.
>
> > I believe the optimal solution would be that openssl exposed an API to
> > dynamically adjust the buffer size, I'll try to work on that...
>
> Sure.
>
> The TCP_NODELAY patch may make sense regardless though, it will
> address the problem for old OpenSSL versions and will also protect
> from other similar issues (e.g., we've seen NewSessionTicket
> messages sent in separate writes when testing TLSv1.3 with OpenSSL
> master branch).
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170523/54b2a89b/attachment.html>


More information about the nginx-devel mailing list