Author |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Fri 17 Jan '14 15:38 Post subject: HTTPS very slow or not responding |
|
|
I have a problem with slow Apache 2.4.4. It's only related with https which is in general 5 time slower than the same site via http. I see this difference on the monitoring software which is measuring response time to http and https every 5 seconds. In some cases i got even timeouts in the browser on https while in the same time site is opening over http - slowly but opens always.
Apache runs on Win2k8 Enterprise, Version 2.4.4 x64 - VC10. Server is connected with quite poor internet connection as it's located in Africa. Despite of connection quality http is working properly all the time. |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 17 Jan '14 18:31 Post subject: |
|
|
Can you tell us something about your configuration (httpd) and the ssl implementation?
For example cipher suites including "dh-keys" with more than 2048 bit take some time.
And for windows systems there are some parameters which helps to improve performance.
Greets
JR |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Sat 18 Jan '14 17:31 Post subject: |
|
|
ssl.conf :
Code: | Listen 192.168.1.65:443 https
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:C:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Mutex default
<VirtualHost 192.168.1.65:443>
DocumentRoot "C:/Apache24/htdocs"
ServerName mydomain.com
ServerAlias www.mydomain.com
ServerAlias another_mydomain.com
ServerAlias www.another_mydomain.com
ErrorLog "log/apache/error.log"
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile "conf/ssl/server.crt"
SSLCertificateKeyFile "conf/ssl/server.key"
SSLCertificateChainFile "conf/ssl/ca_bundle.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost> |
|
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Sat 18 Jan '14 21:10 Post subject: |
|
|
Ok. How did you measure the difference?
Is it a complex web-site?
What kind of browser do you use? (if possible pls test with firefox).
Your ssl.conf looks ok, although i would change the
Code: | BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
|
The newer MSIEs should not have any problems with ssl renegotiation:
Therefore i would try:
Code: | BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
|
Besides all this i would like to ask if the server has more than one nic installed and if so, how the binding is configured since you use a dedicated ip for the vhost configuration. sometimes it's a problem with the binding.
finally check your firewall if the server is placed in a dmz.
Last edited by jraute on Mon 27 Jan '14 17:36; edited 1 time in total |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Mon 20 Jan '14 9:48 Post subject: |
|
|
jraute wrote: | Ok. How did you measure the difference? |
I have monitoring system which is constantly checking the connection both to http and https. I'm getting alert notifications only for https.
jraute wrote: |
Is it a complex web-site? |
What do you mean by complex web-site?
jraute wrote: |
What kind of browser do you use? (if possible pls test with firefox). |
Checked in FF as well - doesn't work either.
jraute wrote: |
Your ssl.conf looks ok, although i would change the
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
The newer MSIEs should not have any problems with ssl renegotiation:
Therefore i would try:
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
|
Thanks, i will consider this change.
jraute wrote: |
Besides all this i would like to ask if the server has more than one nic installed and if so, how the binding is configured since you use a dedicated ip for the vhost configuration. Sometimes it's a problem with the binding. |
This is virtual machine with one virtual nic. I have multiple private network IPs configured, Apache runs on certain IP, not shared with any other services.
jraute wrote: | finally check your firewall if the server is placed in a dmz. |
Firewall configuration hasn't been changed for more than a year.
I wonder if https connection is much more "resources-needed" than http, if it requires more stable internet connection, more server resources etc. - on the server side ? As i mentioned server is located in Africa, with quite poor quality connection - i wonder if that could have impact. On the other hand http works all the time, without any problems. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 20 Jan '14 13:07 Post subject: |
|
|
Are the any indications in the Apache error.log and/or Windows Event viewer ?
Do you have in your httpd.conf:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Mon 20 Jan '14 14:18 Post subject: |
|
|
Steffen wrote: | Are the any indications in the Apache error.log and/or Windows Event viewer ? |
Error log is clear. In event viewer I have found two errors, both of them shows up only where Apache is restarted :
Code: |
"Faulting application name: httpd.exe, version: 2.4.4.0, time stamp: 0x5127dda0
Faulting module name: SSLEAY32.dll, version: 1.0.1.5, time stamp: 0x5123e06c
Exception code: 0xc0000005
Fault offset: 0x0000000000015e99
Faulting process id: 0x7360
Faulting application start time: 0x01cf14633bd64727
Faulting application path: C:\Apache24\bin\httpd.exe
Faulting module path: C:\Apache24\bin\SSLEAY32.dll
Report Id: b159de2a-8056-11e3-91ac-005056934851"
|
Code: |
Faulting application name: httpd.exe, version: 2.4.4.0, time stamp: 0x5127dda0
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000374
Fault offset: 0x00000000000c4102
Faulting process id: 0x6bac
Faulting application start time: 0x01cf1462efff97eb
Faulting application path: C:\Apache24\bin\httpd.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 7b2f4f2f-8056-11e3-91ac-005056934851
|
Steffen wrote: |
Do you have in your httpd.conf:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off |
Yes.
I belive that first thing i would do is upgrade to 2.4.7 version. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 20 Jan '14 14:34 Post subject: |
|
|
Yep, upgrade first to 2.4.7, quite some fixes also in the slow/bad connection area. |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Mon 20 Jan '14 18:29 Post subject: |
|
|
Qmpeltaty wrote: | jraute wrote: |
Is it a complex web-site? |
What do you mean by complex web-site? |
I thought about webpages with multiple elements, scripts and dynamic content. That can be problematic.
Btw did you implement mod_deflate? |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Tue 21 Jan '14 12:11 Post subject: |
|
|
jraute wrote: | Qmpeltaty wrote: | jraute wrote: |
Is it a complex web-site? |
What do you mean by complex web-site? |
I thought about webpages with multiple elements, scripts and dynamic content. That can be problematic.
Btw did you implement mod_deflate? |
In that meaning - Yes, my sites are complex. Most of the content is served by JBoss application server fronted by this instance apache i have problem with - through mod_jk module.
Regarding mod_deflate - it's implemented. Deflate.conf :
Code: | <IfModule deflate_module>
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
#AddOutputFilterByType DEFLATE text/css application/javascript
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
DeflateCompressionLevel 9
DeflateFilterNote Input input_info
DeflateFilterNote Output output_info
DeflateFilterNote Ratio ratio_info
</IfModule>
|
|
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Tue 21 Jan '14 15:35 Post subject: |
|
|
Upgrading is surely a good thing.
A last idea: Have you measured the performance via https to a simple html page on your server?
If that speed is nearly the same as with http, then your page-layout/-configuration is the problem.
(i remember a guy who analyzed the page speed and started with a site having 12 seconds loading time. after several improvements mainly in the page-design the same content loaded in 1.3 seconds.)
if it is even with a simple html page the same problem then you should try to analyse the network traffic and what tcp packages are doing.
[joke mode on] the nsa needs some time to decrypt the ssl session [joke mode off] |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Wed 22 Jan '14 15:15 Post subject: |
|
|
jraute wrote: | Upgrading is surely a good thing.
A last idea: Have you measured the performance via https to a simple html page on your server?
|
My monitoring system is checking connection time to simple html page - when https is working slow, http is working fine. |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Wed 22 Jan '14 22:13 Post subject: |
|
|
Ok, there is a webpagetest site which analyzes what is going on while loading the page.
http://www.webpagetest.org
Maybe it helps you indentifying the part of the loading process which costs most of the time. (Just click on the waterfall view)
After that it will be a bit easier to find a solution, although i am not sure if there will be a solution.
Last edited by jraute on Fri 24 Jan '14 10:54; edited 1 time in total |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Fri 24 Jan '14 14:33 Post subject: |
|
|
Assessment failed: Unable to connect to server |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 24 Jan '14 15:11 Post subject: |
|
|
Ok, thanks for coming back and sharing the result.
If the assessment fails it means that the handshake didn't work. There can be several reasons for that behaviour:
Timeout, blocking scripts, firewall, unknown extensions, a wrong order for cipher suites.
pls check this: http://sourceforge.net/mailarchive/message.php?msg_id=31805015
And maybe the problem can be easily solved by defining a working ssl cipher suite combination.
Greets
JR |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Fri 24 Jan '14 15:27 Post subject: |
|
|
As i said this server is located in Africa, where connection quality is quite poor, however http works all the time. Apache has just been upgraded to 2.4.7 and it didn't help. |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Sat 25 Jan '14 1:21 Post subject: |
|
|
Some more ideas:
1. do you have rdp connection to your server? Then you could test https://127.0.0.1/... and look if that works.
2. if possible try to test with cipher suites of the "medium" class.
3. check if the keys and the ca-file are working. |
|
Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008 Posts: 182 Location: Poland
|
Posted: Mon 27 Jan '14 18:04 Post subject: |
|
|
jraute wrote: | Some more ideas:
1. do you have rdp connection to your server? Then you could test https://127.0.0.1/... and look if that works.
|
I did, it doesn't work local either.
jraute wrote: |
2. if possible try to test with cipher suites of the "medium" class.
|
How should i do this ? Should i remove the HIGH ciphers from the ssl.conf ?
jraute wrote: |
3. check if the keys and the ca-file are working. |
How to check it ? |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Mon 27 Jan '14 18:56 Post subject: |
|
|
Ok, back to start with ssl.
After the update to 2.4.7 it could be helpful to look at your log-file when apache starts. Is the ssleay-error still there? Maybe we should look at that as well.
For a test you could try to remove the "high" definition for the SSLCipherSuite and comment out the SSLCertificateChainFile.
Then you would get a certificate key-file combination which cannot be verified against a ca-chain but for testing who
cares - sometimes it's good to start as simple as possible.
(in this case in a browser you would have to accept that the key is not signed by a trusted ca and go on ...)
If you are not sure if the certificate is working you can build one by yourself with openssl. (just ask for a howto, if needed)
for the test try to start with smaller keys, because keys with more than 1024 bits in combination with some cipher suites can cause delays.
Greets
JR
Last edited by jraute on Mon 27 Jan '14 19:08; edited 2 times in total |
|
Back to top |
|