SOLVED SSL slow first time

[Zoltan Aradszki]

Hello,

The SSL websites are very slow in first view in our server . After the first page loaded, other pages very fast (in same website), but the 1st page loading time ca. 20 seconds. Same page with http:// loading time normally (1-2 sec.).

After a flushcache (in OS X), the https website's first page loading slow again.

I tested it various OS (Windows, OSX, Linux), browsers (Safari, Firefox, Chrome).

This problem persists on ALL websites in our server with various certificates (EV, RapidSSL, cPanel, etc.)

I checked DNS, main SSL cert., firewall, yum update, ea4 update, nothing changed.

Server load below 1, memory works well.

SSL Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

Whats wrong with SSL settings?

 

[cPanelMichael]

Hello,

Do you notice any output to /usr/local/apache/logs/error_log when opening the website securely for the first time after clearing your browser cache?

Note there's a third-party URL here that might be related to this question (though in this case it's only affecting one browser):

First HTTPS connection is very slow in Internet Explorer 11, what can it be?

Thank you.

 

[Zoltan Aradszki]

Hi,
thanks for your reply.

Unfortunatelly, no any "useful" error message in apache error log. Just 10-15-20 seconds latency in first view, only with https.

After it, another pages with same domain loading fast, so the problem is in the first touch.

The web pages without ssl load fast. Is it a DNS problem? Or IPv6 (I don't think, but who know?) Or something special apache settings required?

 

[jrod]

Just wanted to pop into this thread to note that I am experiencing a similar issue. Websites over http respond within 100ms however sometimes when sending a request to an SSL site it can take an unusual amount of time. After the SSL first request however all SSL requests to that specific site for a little while work instantly regardless of what browser I am using, whether the browser cache/cookies are cleared and regardless of what computer I am using. Then shortly after the issue will occur again as if something under the hood has changed.

Restarting apache makes the problem seem to occur once again.. then like clockwork all requests for that site return to a normal response time for a short while. I have also noticed this only occurs with SSL requests to the actual sites on cPanel, not the actual WHM/cPanel interfaces. All SSL requests to those interfaces are instant.

This also occurs whether I'm using cPanel's Comodo certificates or Letsencrypt's certs.

Nothing occurs in my /var/log/apache2/error_log while these bad requests are taking place however I did notice this line in the log that I am a little unsure about which seems to occur semi-randomly throughout the day.

"[Thu Jan 19 14:59:05.231244 2017] [mpm_worker:notice] [pid 526:tid 139814381062272] AH00292: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations"

Here is an example of the issue with screenshots.

[Removed - Please use example domain names and attach images directly to the thread]

Let me know if I can provide any more information as this problem has been driving me up the wall.

 

[jrod]

I've attempted to modify my OP with updated screenshots however the forum seems to have flagged me for "spam" after 1 post. I'll try to post them in a reply here.

#1 here is the first request (slow)

#2 is the request immediately after (suddenly fast)

#3 is a request immediately after I restart apache (slow again)

 

[cPanelMichael]

Hello,

It's likely this relates to the OCSP response performance. Here's a third-party URL that explains how OCSP works:

Understanding OCSP Times and What They Mean for You | DigiCert Blog

The response time from certificate authorities such as Let's Encrypt and Comodo would be the culprit in these cases, as opposed to the way the certificate is configured on the cPanel server.

Thank you.

 

[jrod]

The strangest thing is however both my WHM/cPanel interface and most of the sites affected use cPanel's Comodo CA and incidentally the same OCSP address however the issues does not occur on the cPanel/WHM interfaces, only on user sites. I did do a bit of digging on the cPanel server itself and latency to ocsp.comodoca.com is about 83ms and ocsp.int-x3.letsencrypt.org is about 2ms so timing does not seem to be an issue at all. I also attempted to manually run an OCSP check via openssl command line on Comodo's responder which ran instantly and responded correctly.

 

[cPanelMichael]

Hello,

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look and rule out any issues with the cPanel software or configuration.

Thanks!

 

[jrod]

I have just done so. I'll update this thread if there are any conclusive findings. Thank you for your help.

 

[cPanelMichael]

I have just done so. I'll update this thread if there are any conclusive findings. Thank you for your help.

Hello,

To update, it looks like the solution referenced on the following post helped to address this issue:

Let's Encrypt Firefox OCSP problem: Secure Connection Failed

Additionally, here's some helpful information from one of our analysts on this support ticket:

Hello,

This might be the result of something on the backend with Apache's Stapling configuration (or perhaps a bug where it busy waits until a timeout is hit, then displays the information to the client). I looked over the Apache configuration as well as bug reports on the Apache bug report site. I did come across this which might be the culprit - One of the bugs reported was fixed though which lowered the performance impact:

Mailing List Archive: Solving mutex concerns with OCSP stapling

It appears that the shared SSL cache for stapling is not being dispatched to the threads for reading/writing, only one process, which would explain the slowdown and stalls.

I hope that explains why you see this randomly and not all the time.

Thank you.

 

[jrod]

It would appear that we came to the same conclusion in my support request. Disabling OCSP/SSL Stapling fixed the issue so I'm guessing that upstream Apache bug listed in the linked thread is the issue.

 

[Zoltan Aradszki]

Wowwww! Working perfectly! Thank you!

 

[DanielTud]

Hi,

I'm having the same problem but using SSLUseStapling off DIDN'T solved the problem.

Now the problem seems to be intermittent, in most cases establishing secure connection is very slow (±20 seconds) while in the others is fast (I'm not talking about the second try or refresh).

It's affecting all my client's websites which are using https. The ones using http are not affected.

It started 30 hours ago, with no known cause. No changes were made in the server configuration or software. The hosting company states that they didn't do any changes to the infrastructure.

Doesn't seem to affect mobile devices though.

Any help is greatly appreciated!

 

[DanielTud]

I've solved my issue by disabling SSLv2 and SSLv3, and also by changing the SSL Cyper Suite.

This settings were applied in WHM -> Apache Configuration -> Global Configuration:

• SSL Cipher Suite: ALL:HIGH:!MEDIUM:!aNULL:!MD5:!RC4
• SSL/TLS Protocols: –ALL +TLSv1 +TLSv1.1 +TLSv1.2

Almost 2 days since no issues!

 

[DanielTud]

It seems the issue came back. Still intermitent but it seems to occur much less now.

We've ordered a new, more powerful server machine. Hope it will fix it forever.

 

[Augusto Will]

Same problem here exactly as described by others users, try these solutions but after some hours the problem come back, i using mod_lsapi. I hired another powerful machine but this problem is killing me and my business.

 

[cPanelMichael]

Same problem here exactly as described by others users, try these solutions but after some hours the problem come back, i using mod_lsapi

Could you confirm which specific solutions you have tried thus far? Does the issue persist with and without LiteSpeed enabled on the server?

Thank you.

 

[Augusto Will]

Could you confirm which specific solutions you have tried thus far? Does the issue persist with and without LiteSpeed enabled on the server?

Thank you.

Well, because your question, i changeg to MPM and see that php-cgi becomes to respond to pages, the problem persists, SSL very ultra extreme slow (about 29 seconds) but after first connection, all the things is right and speed is ok. If my clients dont go away after wait for a while, they can see the site and navigate without problems

 

[Augusto Will]

I can deal with this problems, please mark this thread as solved. To me the only working solution was change some limits configuration due to some high access sites. If someone have the same problem, this is the way:

In EasyApache4 change this configuration (I don't know if its best configuration and i change all this numbers):
Server Limit: 800
Max Request Workers: 300
Keep-Alive Timeout: 50
Max Keep-Alive Requests: 500

and... Done! the problems goes away.
I want to leave a compliment to cPanel developers and engineers, the EasyApache4 which integrates with ClodLinux + mod_lsap is good as gold.
Thanks.

 

[Graeme Wingate]

I was having the same problem as this, but following the advice here didn't really get me a solution. I see it did for other people but not others.

I'm not saying it is this issue but this solved it for me, and fitted the problem I was having with the first view of an ssl site being 20-30 seconds in loading.

Short story - all of the sites that were having problems had the jailed shell settings activated. Turning shell off or using normal shell has sorted it for me.

Long story

Virtual box, split into 5 virtual installs of cpanel.

30 second delay on ssl sites that were sat on 2 different servers out of the 5. Other sites on the servers were fine, some using ssl on affected servers were loading and others weren't. Moved sites from one server to another and they suddenly started working, so 100% not the sites - had to be the server.

I went through loads of testing, changed all settings and all that good stuff. Eventually it dawned on me that all the sites that were having issues had the setting of being in jailed shell.

I've spoken to my friends who are very clued up on servers, they say it shouldn't be anything to do with this. All I can say is that all the sites with this problem had jailed shell, I turned it off and they started working.

Worth a try before you kick the cat.