SSL slow on nginx
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 30 22:40:06 UTC 2014
Hello!
On Sat, Jun 28, 2014 at 01:14:16AM -0400, khav wrote:
> For my site , ssl seems to be slow even though i got A+ on sslabs
> (implemented ocsp stapling, Forward Secrecy , spdy)
Note that SSL Labs grades are about security, not about speed.
> Here is the result from pingdom
>
> http://tools.pingdom.com/fpt/#!/cc2MfH/https://www.filterbypass.me/
>
>
> Notice the high connect time and high ssl negociation time
The test is done from Netherlands, the site is in US, RTT seems to
be about 170ms. So, a connect will take 170ms minimum (1*RTT), and an SSL
handshake without a cached session will take 340ms minimum
(2*RTT). And these are only network costs, not counting any
computational costs for SSL.
Pingdom numbers for the first pages as I see are as follows:
SSL 168ms
Connect 572ms
Send 0ms
Wait 304ms
Receive 6ms
They seems to be labeled incorrectly (1st number is
actually connect time, while 2nd one is SSL handshake, not vice
versa as they are labeled). Connect time seems pretty much
normal, just 1 RTT, close to minimum possible. SSL handshake
time is a bit more than it could be, about 3 RTT for some reason.
Simple test here suggests that the cause is likely CPU usage on your
server - response to ServerHello is noticeably delayed.
One of the possible reasons is that you prefer ciphers with
forward secrecy, and they are CPU hungry, especially DH ones:
> ssl_ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
> ssl_prefer_server_ciphers on;
You may try "openssl speed rsa2048" to find out how many
handshakes per core your server can handle. Note that ECDH with
256 bit curve will result in about 2x slowdown compared to plain
RSA, and DH with 2048 bit params - up to 10x slowdown.
Additionally, make sure that:
- you've properly tuned number of worker processes to match your
server cores, see http://nginx.org/r/worker_processes;
- number of handshakes per seconds isn't reaching numbers your
server can handle, use "openssl speed" to find out.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list