0

We setup a new Rackspace to shift capacity from our an existing server we have that is overtaxed. During this process we setup a new SSL cert using the command line instead of WHM / cPanel tools that my boss typically uses to do that.

I followed this Ubuntu wiki article:

https://help.ubuntu.com/11.04/serverguide/C/certificates-and-security.html

My problem is that when I go to the domain:

https://stoysnetcdn.com

It doesn't resolve very quick at all the first time. It seems to always resolve quickly with HTTP, but the first time I access it on a machine it seems to be slow at doing something with verifying the certificate.

How can I diagnose why this is being slow so I can fix it?

Thank You!

Kristopher Ives
  • 364
  • 1
  • 3
  • 13
  • If you're using Firefox, install the Live Headers add-on and watch what goes on. If the problem revolves around your connection to the server, that will probably shed some light on it. – jdw Nov 10 '11 at 19:08
  • Thanks giving that a shot now. Haven't used that plugin in some time. – Kristopher Ives Nov 10 '11 at 19:21
  • Might help. It only shows the HTTP traffic between your browser and the web server so if the problem is elsewhere it won't help, but you can at least eliminate something. – jdw Nov 10 '11 at 19:24

1 Answers1

0

Run tcpdump on your client (or wireshark if using a windows client). sudo tcpdump -ni eth0 -s0 -w /tmp/filename.pcap (Your interface name might be something other than eth0) You have access to the private key so you can probably easily decrypt the encrypted content with wireshark. Open the trace in wireshark, filter on your server's ip address by setting display filter to: ip.addr==a.b.c.d (where a.b.c.d is your server/site IP address), and look at the ssl/tls handshake times--you will not need to decrypt the payload to view what is going on during the handshake. You should be able to get some idea on how long the handshake is taking or if your slowdown is due to dns resolution.

Subsequent requests are loading from browser cache and ssl session re-use might explain the faster response times. You might have success duplicating the slowness with every request if you use cURL from your client machine when running the trace.

You are using a 2048 bit cert and there was some research done that indicates that the ssl handshake takes 5 times longer than it did over 1024 bit certs. (Of course, this was done by a firm that sells load-balancers that perform ssl offload...)

mahnsc
  • 1,776
  • 13
  • 11