Current time: 12-16-2019, 02:32 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Website Test Results - SSL Negotiation Question
03-13-2013, 02:23 AM
Post: #1
Website Test Results - SSL Negotiation Question
I've been running some benchmark tests of several sites for a couple weeks. I noticed that the First View SSL Negotiation times have decreased drastically for differing HTTPs calls from all site tests after March 8th using Dulles, VA - IE 8 - Cable. Each site has seen improvements in some but not all internal HTTPS calls and external HTTPS calls to x+1, doubleclick and several others - too many to be just a coincidence.

Here's some examples for one such site:
3/1 http://www.webpagetest.org/result/130301...0/details/
3/4 http://www.webpagetest.org/result/130304...2/details/
3/8 http://www.webpagetest.org/result/130308...8/details/
3/11 http://www.webpagetest.org/result/130311...4/details/
3/12 http://www.webpagetest.org/result/130312...2/details/

I've since run similar tests for some of the sites from 6 of the 7 U.S. locations and the SSL Negotiation times HAVE NOT varied by much from any of the other locations except Dulles, VA. Any idea what could be the cause of this decrease in SSL Negotiation times?

Any help is greatly appreciated,

Jeff
Find all posts by this user
Quote this message in a reply
03-13-2013, 04:46 AM
Post: #2
RE: Website Test Results - SSL Negotiation Question
With the 2.10 release I changed the default behavior for clearing the OS certificate caches.

Somewhere around 6 months ago I started clearing the OS certificate caches which cased SSL negotiation times to go up significantly for the IE agents that were running on Windows Vista or later (IE on XP does not do CRL/OCSP checks).

There was quite a bit of push-back because it was clearing all of the certificates, including the certs from the root providers so IE was validating things like verisign's root cert which is something that will hardly ever happen to end users.

The real world lies somewhere in between but I don't have a way to just clear the leaf certificates and it was skewing site's performance enough that it was hiding other issues so I made it an option on a per-test basis and it is disabled by default (it's available in the advanced settings if you want to re-enable it for a given test).
Visit this user's website Find all posts by this user
Quote this message in a reply
03-13-2013, 06:23 AM
Post: #3
RE: Website Test Results - SSL Negotiation Question
Was that change something that took place since 3/8?
Find all posts by this user
Quote this message in a reply
03-13-2013, 06:26 AM
Post: #4
RE: Website Test Results - SSL Negotiation Question
Yes, sorry, it was actually after the 2.10 release. 3/8 at around 1:45PM ET
Visit this user's website Find all posts by this user
Quote this message in a reply
03-13-2013, 07:31 AM
Post: #5
RE: Website Test Results - SSL Negotiation Question
Okay, thanks for the prompt response. I'm thinking we should run tests with an without SSL Certificate Caches cleared and use the median.
Find all posts by this user
Quote this message in a reply
03-13-2013, 10:24 PM
Post: #6
RE: Website Test Results - SSL Negotiation Question
That would be my recommendation. It's worth looking at the cost for OCSP checks, etc every now and then but I'd pay more attention to the site with the certs cached.
Visit this user's website Find all posts by this user
Quote this message in a reply
03-13-2013, 11:40 PM
Post: #7
RE: Website Test Results - SSL Negotiation Question
Thanks for the confirmation. We'll incorporate some less frequent tests that examine OCSP checks. One last question related to this thread - Should I expect shorter SSL negotiation times since the 2.10 release at the other U.S. locations as well?
Find all posts by this user
Quote this message in a reply
03-14-2013, 01:09 AM
Post: #8
RE: Website Test Results - SSL Negotiation Question
It depends on the OS they are running. I believe most locations are on Server 2003 or XP and would not have been doing the OCSP/CRL checks.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)