Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED SSL slow first time

Discussion in 'Security' started by Zoltan Aradszki, Dec 19, 2016.

Tags:
  1. Zoltan Aradszki

    Joined:
    Jun 7, 2016
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Hello,

    The SSL websites are very slow in first view in our server . After the first page loaded, other pages very fast (in same website), but the 1st page loading time ca. 20 seconds. Same page with http:// loading time normally (1-2 sec.).

    After a flushcache (in OS X), the https website's first page loading slow again.

    I tested it various OS (Windows, OSX, Linux), browsers (Safari, Firefox, Chrome).

    This problem persists on ALL websites in our server with various certificates (EV, RapidSSL, cPanel, etc.)

    I checked DNS, main SSL cert., firewall, yum update, ea4 update, nothing changed.

    Server load below 1, memory works well.

    SSL Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

    Whats wrong with SSL settings?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. Zoltan Aradszki

    Joined:
    Jun 7, 2016
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Hi,
    thanks for your reply.

    Unfortunatelly, no any "useful" error message in apache error log. Just 10-15-20 seconds latency in first view, only with https.

    After it, another pages with same domain loading fast, so the problem is in the first touch.

    The web pages without ssl load fast. Is it a DNS problem? Or IPv6 (I don't think, but who know?) Or something special apache settings required?
     
  4. jrod

    jrod Member

    Joined:
    Jan 19, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /dev/null
    cPanel Access Level:
    Root Administrator
    Just wanted to pop into this thread to note that I am experiencing a similar issue. Websites over http respond within 100ms however sometimes when sending a request to an SSL site it can take an unusual amount of time. After the SSL first request however all SSL requests to that specific site for a little while work instantly regardless of what browser I am using, whether the browser cache/cookies are cleared and regardless of what computer I am using. Then shortly after the issue will occur again as if something under the hood has changed.

    Restarting apache makes the problem seem to occur once again.. then like clockwork all requests for that site return to a normal response time for a short while. I have also noticed this only occurs with SSL requests to the actual sites on cPanel, not the actual WHM/cPanel interfaces. All SSL requests to those interfaces are instant.

    This also occurs whether I'm using cPanel's Comodo certificates or Letsencrypt's certs.

    Nothing occurs in my /var/log/apache2/error_log while these bad requests are taking place however I did notice this line in the log that I am a little unsure about which seems to occur semi-randomly throughout the day.

    "[Thu Jan 19 14:59:05.231244 2017] [mpm_worker:notice] [pid 526:tid 139814381062272] AH00292: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations"

    Here is an example of the issue with screenshots.

    [Removed - Please use example domain names and attach images directly to the thread]

    Let me know if I can provide any more information as this problem has been driving me up the wall.
     
  5. jrod

    jrod Member

    Joined:
    Jan 19, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /dev/null
    cPanel Access Level:
    Root Administrator
    I've attempted to modify my OP with updated screenshots however the forum seems to have flagged me for "spam" after 1 post. I'll try to post them in a reply here.

    #1 here is the first request (slow)
    1.png
    #2 is the request immediately after (suddenly fast)
    2.png
    #3 is a request immediately after I restart apache (slow again)
    3.png
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's likely this relates to the OCSP response performance. Here's a third-party URL that explains how OCSP works:

    Understanding OCSP Times and What They Mean for You | DigiCert Blog

    The response time from certificate authorities such as Let's Encrypt and Comodo would be the culprit in these cases, as opposed to the way the certificate is configured on the cPanel server.

    Thank you.
     
  7. jrod

    jrod Member

    Joined:
    Jan 19, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /dev/null
    cPanel Access Level:
    Root Administrator
    The strangest thing is however both my WHM/cPanel interface and most of the sites affected use cPanel's Comodo CA and incidentally the same OCSP address however the issues does not occur on the cPanel/WHM interfaces, only on user sites. I did do a bit of digging on the cPanel server itself and latency to ocsp.comodoca.com is about 83ms and ocsp.int-x3.letsencrypt.org is about 2ms so timing does not seem to be an issue at all. I also attempted to manually run an OCSP check via openssl command line on Comodo's responder which ran instantly and responded correctly.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look and rule out any issues with the cPanel software or configuration.

    Thanks!
     
  9. jrod

    jrod Member

    Joined:
    Jan 19, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /dev/null
    cPanel Access Level:
    Root Administrator
    I have just done so. I'll update this thread if there are any conclusive findings. Thank you for your help.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, it looks like the solution referenced on the following post helped to address this issue:

    Let's Encrypt Firefox OCSP problem: Secure Connection Failed

    Additionally, here's some helpful information from one of our analysts on this support ticket:

    Thank you.
     
  11. jrod

    jrod Member

    Joined:
    Jan 19, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /dev/null
    cPanel Access Level:
    Root Administrator
    It would appear that we came to the same conclusion in my support request. Disabling OCSP/SSL Stapling fixed the issue so I'm guessing that upstream Apache bug listed in the linked thread is the issue.
     
  12. Zoltan Aradszki

    Joined:
    Jun 7, 2016
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Wowwww! Working perfectly! Thank you!
     
    cPanelMichael likes this.
  13. DanielTud

    DanielTud Registered

    Joined:
    Feb 17, 2017
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    Hi,

    I'm having the same problem but using SSLUseStapling off DIDN'T solved the problem.

    Now the problem seems to be intermittent, in most cases establishing secure connection is very slow (±20 seconds) while in the others is fast (I'm not talking about the second try or refresh).

    It's affecting all my client's websites which are using https. The ones using http are not affected.

    It started 30 hours ago, with no known cause. No changes were made in the server configuration or software. The hosting company states that they didn't do any changes to the infrastructure.

    Doesn't seem to affect mobile devices though.

    Any help is greatly appreciated!
     
  14. DanielTud

    DanielTud Registered

    Joined:
    Feb 17, 2017
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    I've solved my issue by disabling SSLv2 and SSLv3, and also by changing the SSL Cyper Suite.

    This settings were applied in WHM -> Apache Configuration -> Global Configuration:
    • SSL Cipher Suite: ALL:HIGH:!MEDIUM:!aNULL:!MD5:!RC4
    • SSL/TLS Protocols: –ALL +TLSv1 +TLSv1.1 +TLSv1.2
    Almost 2 days since no issues!
     
    cPanelMichael likes this.
  15. DanielTud

    DanielTud Registered

    Joined:
    Feb 17, 2017
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    It seems the issue came back. Still intermitent but it seems to occur much less now.

    We've ordered a new, more powerful server machine. Hope it will fix it forever.
     
  16. Augusto Will

    Augusto Will Active Member

    Joined:
    Sep 9, 2011
    Messages:
    39
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Same problem here exactly as described by others users, try these solutions but after some hours the problem come back, i using mod_lsapi. I hired another powerful machine but this problem is killing me and my business.
     
    #16 Augusto Will, Jul 3, 2017
    Last edited: Jul 4, 2017
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Could you confirm which specific solutions you have tried thus far? Does the issue persist with and without LiteSpeed enabled on the server?

    Thank you.
     
  18. Augusto Will

    Augusto Will Active Member

    Joined:
    Sep 9, 2011
    Messages:
    39
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Well, because your question, i changeg to MPM and see that php-cgi becomes to respond to pages, the problem persists, SSL very ultra extreme slow (about 29 seconds) but after first connection, all the things is right and speed is ok. If my clients dont go away after wait for a while, they can see the site and navigate without problems
     
  19. Augusto Will

    Augusto Will Active Member

    Joined:
    Sep 9, 2011
    Messages:
    39
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I can deal with this problems, please mark this thread as solved. To me the only working solution was change some limits configuration due to some high access sites. If someone have the same problem, this is the way:

    In EasyApache4 change this configuration (I don't know if its best configuration and i change all this numbers):
    Server Limit: 800
    Max Request Workers: 300
    Keep-Alive Timeout: 50
    Max Keep-Alive Requests: 500

    and... Done! the problems goes away.
    I want to leave a compliment to cPanel developers and engineers, the EasyApache4 which integrates with ClodLinux + mod_lsap is good as gold.
    Thanks.
     
    cPanelMichael likes this.
  20. Graeme Wingate

    Graeme Wingate Registered

    Joined:
    Aug 2, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I was having the same problem as this, but following the advice here didn't really get me a solution. I see it did for other people but not others.

    I'm not saying it is this issue but this solved it for me, and fitted the problem I was having with the first view of an ssl site being 20-30 seconds in loading.

    Short story - all of the sites that were having problems had the jailed shell settings activated. Turning shell off or using normal shell has sorted it for me.

    Long story

    Virtual box, split into 5 virtual installs of cpanel.

    30 second delay on ssl sites that were sat on 2 different servers out of the 5. Other sites on the servers were fine, some using ssl on affected servers were loading and others weren't. Moved sites from one server to another and they suddenly started working, so 100% not the sites - had to be the server.

    I went through loads of testing, changed all settings and all that good stuff. Eventually it dawned on me that all the sites that were having issues had the setting of being in jailed shell.

    I've spoken to my friends who are very clued up on servers, they say it shouldn't be anything to do with this. All I can say is that all the sites with this problem had jailed shell, I turned it off and they started working.

    Worth a try before you kick the cat.
     
Loading...

Share This Page