2

I am running an Apache 2.4.18 server running under Ubuntu 16.04.1 LTS, only with PHP 7 and Exim 4 installed.

In the early morning the SSL handshake is extremely fast, about 200ms, but as time passes it increases (about 1 hour later), getting around 8s. If I reboot Apache, the SSL be fast again, but after a while it slows down again, returning to 8s and sometimes up to 30s.

I configured Apache ssh.conf (etc/apache2/mods-enabled) as follows:

    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    SSLHonorCipherOrder on
    SSLProtocol all -SSLv3

    SSLCompression off
    SSLSessionTickets off

    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)

In the VirtualHost settings I have set the following header:

    Header always set Strict-Transport-Security "max-age=15768000"

The server configuration is:

  • CPU: Intel Xeon E5-2650L 1.80Ghz (4 Core)
  • Memory: 7.8 GB
  • Load Average: 0.50

Using the server-status tool of Apache this appears.

When HTTPS is fast (11:00 AM after apache2 restart): SSL/TLS Session Cache Status

When HTTPS is slow: (11:04 AM): SSL/TLS Session Cache Status

This started to happen when we migrated from server. No new certifi cates were requested, the old SSLCertificateFile, SSLCertificateChainFile, and SSLCertificateKeyFile are still used.

What can be happening to slow it down and how can I fix it?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Tom
  • 217
  • 3
  • 12
  • Solved using this article: [Apache Optimization](https://www.liquidweb.com/kb/apache-optimization/) – Tom Jan 20 '17 at 16:11
  • If apache is running in **prefork** mode, you may have some luck reinstalling it to run in event mode. More detail [here](https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use?answertab=votes#tab-top) – S. Imp Mar 21 '18 at 02:47

1 Answers1

0

If you're getting slow encryption, one thing that article didn't mention is /dev/random vs /dev/urandom. The /dev/random file can block waiting for entropy, and badly written encryption can hit it over and over. This can be especially pronounced in a virtual machine, as they don't have much in the way of normal entropy generating hardware. If this happens to you, just use /dev/urandom.

This is one of those things that probably isn't affecting you, but if it is, it can be a real problem and it's hard to diagnose without knowing to look for it.

http://www.2uo.de/myths-about-urandom/

Thomas
  • 4,155
  • 5
  • 21
  • 28
Dylan Martin
  • 538
  • 4
  • 13
  • 2
    The slow handshake was caused because the concurrent connections reached the value defined in MaxRequestWorkers. – Tom Jan 22 '17 at 04:00