SSL slow on nginx

Maxim Dounin mdounin at mdounin.ru
Mon Jun 30 22:40:06 UTC 2014 

Hello!

On Sat, Jun 28, 2014 at 01:14:16AM -0400, khav wrote:

> For my site , ssl seems to be slow even though i got A+ on sslabs
> (implemented ocsp stapling, Forward Secrecy , spdy) 

Note that SSL Labs grades are about security, not about speed.

> Here is the result from pingdom 
> 
> http://tools.pingdom.com/fpt/#!/cc2MfH/https://www.filterbypass.me/
> 
> 
> Notice the high connect time and high ssl negociation time 

The test is done from Netherlands, the site is in US, RTT seems to 
be about 170ms.  So, a connect will take 170ms minimum (1*RTT), and an SSL 
handshake without a cached session will take 340ms minimum 
(2*RTT).  And these are only network costs, not counting any 
computational costs for SSL.

Pingdom numbers for the first pages as I see are as follows:

SSL 168ms
Connect 572ms
Send 0ms
Wait 304ms
Receive 6ms

They seems to be labeled incorrectly (1st number is 
actually connect time, while 2nd one is SSL handshake, not vice 
versa as they are labeled).  Connect time seems pretty much 
normal, just 1 RTT, close to minimum possible.  SSL handshake 
time is a bit more than it could be, about 3 RTT for some reason.  
Simple test here suggests that the cause is likely CPU usage on your 
server - response to ServerHello is noticeably delayed.

One of the possible reasons is that you prefer ciphers with 
forward secrecy, and they are CPU hungry, especially DH ones:

>    ssl_ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
>     ssl_prefer_server_ciphers on;

You may try "openssl speed rsa2048" to find out how many 
handshakes per core your server can handle.  Note that ECDH with 
256 bit curve will result in about 2x slowdown compared to plain 
RSA, and DH with 2048 bit params - up to 10x slowdown.

Additionally, make sure that:

- you've properly tuned number of worker processes to match your 
  server cores, see http://nginx.org/r/worker_processes;

- number of handshakes per seconds isn't reaching numbers your 
  server can handle, use "openssl speed" to find out.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list