SSL slow. Establishing secure connection taking too long

Temur Topuria
Temur Topuria used Ask the Experts™
on
I have Dedicated server on Hetzner. Server is located in Germany.

Server has 256GB RAM 6 CPUs (12 Threads)... In coclusion, it is quite good one. I have CENTOS 7.5. EA4.

Problem is with SSL. Every day for about 2 hours we have 40 requests in one second and at that moment finishing requests takes about 20 seconds sometimes.

While Non SSL takes 0.5 and lower mostly.

There is some exapmle page

http://viber.ge/index.php


After few second you will see responce time and it varies a lot.

From 13:00 to 15:30 (UTC+4) SSL requests take the msot time.

Even if u open this link with SSL and without u might see the difference.

I have WHM available and I've noticed ModSecurity and wonder if it might be the problem.

I have already applied most of the setting provided here but they are not much about SSL.

Could anyone point out where should I look to resolve this issue?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
It is waiting in server hello  so it may be connected to latency in generating a DH key...
or depletion of the random pool.
DH key can be helped by added a dh parameter file to the server config...

Depletion of the random pool needs more "random" actions added to the pool.
Hardware like onerng ( http://onerng.info ) mite help or software solutions like:
haveged ( http://www.issihosts.com/haveged/ )  or timer_entropy_daemon ( http://www.vanheusden.com/te/ ).

entropy depletion can be detected by :   cat /proc/sys/kernel/random/entropy_avail
it should stay as high as possible.  (idealy near poolsize in the same directory).
Temur TopuriaWeb Developer

Author

Commented:
Hello, thank you for your answer.
entropy_avail value is 2760
poolsize: 4096
But server response time is worst at about  13:00 (UTC+4) so I'm going to check for entropy_avail value tomorrow and respond to u.

I've read that disabling OCSP stapling could improve performance but I couldn't find a way to turn it off. Any chance u could help me with this as well?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Al kinds of queries at the moment the connect happens may cause extra delays as well.
ocsp stapling is something that the client verifies... So it should not be an immediate issue...

Check how haproxy handles OCSP stapling, that only needs to be done once a week so it
should not be that big an issue.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Temur TopuriaWeb Developer

Author

Commented:
OK, I am not changing OCSP. entropy_avail value is 2673 and varies but not by much.
is 2673 fine for entropy_avail value?
If not please provide (if possible) some alternatives to resolve this issue because provided implementation seems very hard to me.
if 2673 is fine, where should I look next?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
If you run cat /dev/random  it would pull the pool empty in a short wile (a second or so)...
until you kill the cat command.

refilling it will take some time and in the mean time random number generation will slow down..
(effectively if you generate a 1024 bit key, you remove 1024 bits from the pool )  so higher values are prefered.
(One sample say nothing, btw, you would need to monitor every few seconds to get an idea).
taking 40 samples might very well deplete the pool, depending on keysizes and the amount of activity on your system.

I have one system that has onerng on it that has a pool around 3800... ish.  and is a heavy user of random keys due to several IPSEC tunnels that frequently rekey.
Another system  entropy is around 3200 using timer_entropyd to augment the plain linux PRNG.
Web Developer
Commented:
Issue has been resolved.
Problem was not in random numbers. It was mostly about server configuration.
Thank u for your responses.
Temur TopuriaWeb Developer

Author

Commented:
No other answers helped in resolving this issue.
Issue no longer exists so question should be closed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial