I had a free SSL certificate that was working fine when my site had lower traffic - but the traffic has increased, and now users frequently receive errors establishing a secure connection. Some of these are fallback errors, and some just say error establishing secure connection. I'm wondering if what certificate I have makes a difference in how much traffic it can handle? Is there a company that grants certificates better able to handle high-traffic situations?
Asked
Active
Viewed 137 times
3 Answers
6
The certificate itself does not affect the scaling of the application. The performance might be affected by the size of the certificate and the chain, so a short certificate chain might perform better. But in practice this does not matter that much as long as session reuse is enabled at the server side (usually the default configuration).
I think the main problem you have is that your side does not scale well, independent of the certificate. More users means higher load at the server and more use of bandwidth and if any of these resources is tight packets will be lost or will be processed too slow. In this case you get a variety of problems, including SSL downgrading or failure to establish the connection.
Steffen Ullrich
- 12,227
- 24
- 37
-
Thank you, Steffen - how do I check if session reuse is established? – Jonathan Basile Sep 26 '15 at 14:11
-
2@JonathanBasile: with openssl you can do `openssl s_client -reconnect -state -prexit -connect server:port` and check if the same Session-Id is given all the time in the debug output. – Steffen Ullrich Sep 26 '15 at 17:00
1
It could also be an issue with the activity of SSL's lately with SHA1 and actually a coincidence with the timing and your site's traffic.
What server are you using, have you looked into SSL Offloading? What about using a CDN that supports SSL like CloudFlare or Incapsula.
With Fallback issues, check what score you get on and try to correct any issues.
Jacob Evans
- 7,636
- 3
- 25
- 55
0
Most of the time, it should have no effect, but I would certainly think that the size of the key should be taken into account, especially in extremely high traffic situations where multiple users are hitting the site over and over again. If you take all of the traffic into account, decrypting 2048-bit-encrypted requests would certainly perform better than decrypting 4096-bit encrypted traffic, and I imagine that certain algorithms could have a contributing factor as well. But I would imagine this would only contribute to extremely high-traffic scenarios where users re-connect frequently.
rubynorails
- 369
- 3
- 14
-
Since this is only done once per session, it's not a very big hit. – Michael Hampton Sep 27 '15 at 03:09
-
Imagine a large financial enterprise that maintains short session timeouts for millions of users who reconnect often (think online banking or even gambling). There would definitely need to be scalability involved wherever SSL is terminated in order to maintain the same end-user experience if you double the size of your keys. Just because it's not a very big hit doesn't mean it wouldn't have a noticeable impact on an enterprise-level application. [Sanity check found this link](http://stackoverflow.com/questions/8453529/are-there-any-disadvantages-to-using-a-4096-bit-encrypted-ssl-certificate) – rubynorails Sep 27 '15 at 04:44
-
But those very institutions are the ones least likely to want to use shorter keys. In my experience, financial institutions will either use a pool of servers (so scaling is just a matter of deepening the pool) or use hardware-assisted SSL (or both). – MadHatter Sep 27 '15 at 06:00
-
The question is not _"How to prevent some SSL certificates from affecting traffic"_ -- so I believe you are negating your point by saying that these organizations would want to use shorter keys in order to improve performance. The fact remains that larger keys have an effect on performance. It is indeed a minuscule effect, but on very large scales, this effect is visible unless certain measures are taken in order to counterbalance this effect. – rubynorails Sep 27 '15 at 06:21