Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED SSL Slowness

Discussion in 'Security' started by uk01, Aug 14, 2017.

  1. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    71
    Likes Received:
    5
    Trophy Points:
    58
    Hi we are having this slow SSL issue on multiple servers too. It's making https sites almost unusable when it kicks in.
    All the sites use Cpanels own Comodo certs.
    From research here and on other threads I've discovered it's the "stapling" and it's recommended on the other thread to add "SSLUseStapling off" to include editor.
    Am I safe doing this, is it just a temporary solution or will it cause issues on the server. We can't risk any issues, however adding this has resolved the problem for now and sites load fast again.
    Cpanel, please could you confirm if this is the approved solution, is it safe?
    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @uk01,

    I moved this post to it's own thread, as it appears to relate to a Comodo outage that occurred yesterday. Here's a post with more details about why this happens:

    Comodo OCSP Outage

    I advise against disabling "SSLUseStapling" completely (unless you were do disable it temporarily when there's a Comodo outage), as that can completely disable the OCSP check.

    Thank you.
     
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    103
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello - Is this outage still happening?

    I am getting quite a lot of errors from Comodo

    Code:
    [Thu Sep 14 21:44 2017] [ssl:error] [pid 22107] (101)Network is unreachable: [client 74.82.47.3:62578] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Thu Sep 14 21:44:29 2017] [ssl:error] [pid 22107] AH01941: stapling_renew_response: responder error
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    No, the outage referenced on this thread was solved shorty after it was reported. Are you still facing this issue on your system?

    Thank you.
     
    WorkinOnIt likes this.
  5. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    103
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Yes, I am seeing this error on multiple machines

    [ssl:error] [pid 10833] AH01941: stapling_renew_response: responder error
    [Sat Sep 16 08:55:06.589095 2017] [ssl:error] [pid 11589] (101)Network is unreachable: [client 66.xx.xx.xx:39071] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'

    There appears to be many of the same error messages for multiple IP addresses.

    I thought to check my resolvers but they appear fine (8.8.8.8 and 8.8.4.4) and I am able to telnet and ping fine.

    I do have port 22 removed from TCP_IN and TCP_OUT that's the only change i've made of late, so I'm not sure what could be the cause of this issue. I think I'd better open a support ticket!

    However, I am not noticing any obvious issues on front end https sites.
     
    #5 WorkinOnIt, Sep 15, 2017
    Last edited: Sep 16, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's possible the traffic to the OCSP responder is blocked by a firewall rule on your system, however feel free to post the ticket number here should you decide to open a support ticket and will update this thread with the outcome.

    Thank you.
     
  7. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    103
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi there

    After opening a ticket and some troubleshooting, it would appear the issue was that the Apache Cipher Suite that had not updated. For some reason, it was not set to the "default". I updated it thus;

    In WHM I did the following to change it to default.

    -- Navigate to Home »Service Configuration »Apache Configuration »Global Configuration
    -- Toggle radio button for default selection
    -- Click save at bottom
    -- On next page Click rebuild configuration and restart

    That solved my issue - hope it can help someone else!

    Kudos to Steven Sublett and the other team.
     
    cPanelMichael likes this.
Loading...
Similar Threads - Slowness
  1. Aaron Todd
    Replies:
    3
    Views:
    478

Share This Page