SOLVED SSL Slowness

[uk01]

Hi we are having this slow SSL issue on multiple servers too. It's making https sites almost unusable when it kicks in.
All the sites use Cpanels own Comodo certs.
From research here and on other threads I've discovered it's the "stapling" and it's recommended on the other thread to add "SSLUseStapling off" to include editor.
Am I safe doing this, is it just a temporary solution or will it cause issues on the server. We can't risk any issues, however adding this has resolved the problem for now and sites load fast again.
Cpanel, please could you confirm if this is the approved solution, is it safe?
Thanks

 

[cPanelMichael]

Hello @uk01,

I moved this post to it's own thread, as it appears to relate to a Comodo outage that occurred yesterday. Here's a post with more details about why this happens:

Comodo OCSP Outage

I advise against disabling "SSLUseStapling" completely (unless you were do disable it temporarily when there's a Comodo outage), as that can completely disable the OCSP check.

Thank you.

 

[WorkinOnIt]

Hello - Is this outage still happening?

I am getting quite a lot of errors from Comodo

[Thu Sep 14 21:44 2017] [ssl:error] [pid 22107] (101)Network is unreachable: [client 74.82.47.3:62578] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
[Thu Sep 14 21:44:29 2017] [ssl:error] [pid 22107] AH01941: stapling_renew_response: responder error

 

[cPanelMichael]

Hello - Is this outage still happening?

No, the outage referenced on this thread was solved shorty after it was reported. Are you still facing this issue on your system?

Thank you.

 

[WorkinOnIt]

Yes, I am seeing this error on multiple machines

[ssl:error] [pid 10833] AH01941: stapling_renew_response: responder error
[Sat Sep 16 08:55:06.589095 2017] [ssl:error] [pid 11589] (101)Network is unreachable: [client 66.xx.xx.xx:39071] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'

There appears to be many of the same error messages for multiple IP addresses.

I thought to check my resolvers but they appear fine (8.8.8.8 and 8.8.4.4) and I am able to telnet and ping fine.

I do have port 22 removed from TCP_IN and TCP_OUT that's the only change i've made of late, so I'm not sure what could be the cause of this issue. I think I'd better open a support ticket!

However, I am not noticing any obvious issues on front end https sites.

 

[cPanelMichael]

I do have port 22 removed from TCP_IN and TCP_OUT that's the only change i've made of late, so I'm not sure what could be the cause of this issue. I think I'd better open a support ticket!

Hello,

It's possible the traffic to the OCSP responder is blocked by a firewall rule on your system, however feel free to post the ticket number here should you decide to open a support ticket and will update this thread with the outcome.

Thank you.

 

[WorkinOnIt]

Hi there

After opening a ticket and some troubleshooting, it would appear the issue was that the Apache Cipher Suite that had not updated. For some reason, it was not set to the "default". I updated it thus;

In WHM I did the following to change it to default.

-- Navigate to Home »Service Configuration »Apache Configuration »Global Configuration
-- Toggle radio button for default selection
-- Click save at bottom
-- On next page Click rebuild configuration and restart

That solved my issue - hope it can help someone else!

Kudos to Steven Sublett and the other team.