使用Apache 2.4 OpenSSL 1.0在Linux CentOS上提高SSL速度 [英] Make SSL faster on Linux CentOS with Apache 2.4 OpenSSL 1.0

问题描述

同事！

嗯，我对SSL身份验证的速度存在很大的疑问.由于我将网站移至SSL，因此GoogleBot会减少我的网站的索引编制，因为SSL协商的价值低于我通过WebPageTest.org获得的价值:

Well, I am with a huge problem with the speed of SSL Authentication. Since I move my website to SSL, the GoogleBot reduce the indexing of my website, because the SSL Negotiation is with below value I got with WebPageTest.org:

URL: https://www.musiconline.com.br/jorge -e-mateus/alcapao/

主持人:www.musiconline.com.br

Host: www.musiconline.com.br

错误/状态码:200

Error/Status Code: 200

客户端端口:0

起始偏移量:0.735 s

Start Offset: 0.735 s

DNS查找:34毫秒

DNS Lookup: 34 ms

初始连接:170毫秒

SSL协商:531毫秒

第一个字节的时间:311毫秒

Time to First Byte: 311 ms

内容下载:178毫秒

字节数(已下载):13.2 KB

Bytes In (downloaded): 13.2 KB

字节数(已上传):0.4 KB

Bytes Out (uploaded): 0.4 KB

看，"SSL协商"的时间为531ms，这是一个很大的值.

Look, the "SSL Negotiation" is in 531ms, a big value.

有人知道我该如何解决这个问题?

Someone know how can I solve this issue?

我验证了mod_spdy，但是，由于我的Linux CentOS 6，Apache 2.4中的以下消息，我无法安装:

I verified the mod_spdy, however, I can't install because the follow message in my Linux CentOS 6, Apache 2.4:

root @ server1 [/home/login/src]#rpm -U mod-spdy-*.rpm

root@server1 [/home/login/src]# rpm -U mod-spdy-*.rpm

警告:mod-spdy-beta_current_x86_64.rpm:标头V4 DSA/SHA1签名，密钥ID 7fac5991:NOKEY

warning: mod-spdy-beta_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

错误:依赖项失败:

    httpd >= 2.2.4 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

    mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.4.3-420.x86_64

---

root @ server1 [/home/login/src]#httpd -v

---

root@server1 [/home/login/src]# httpd -v

服务器版本:Apache/2.4.12(Unix)

Server version: Apache/2.4.12 (Unix)

服务器内置时间:2015年3月21日10:58:04

Server built: Mar 21 2015 10:58:04

Cpanel :: Easy :: Apache v3.28.4 rev9999

Cpanel::Easy::Apache v3.28.4 rev9999

root @ server1 [/home/molbr/src]#uname -a

root@server1 [/home/molbr/src]# uname -a

Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64#1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

感谢您的帮助.

推荐答案

初始连接:170毫秒

Initial Connection: 170 ms

SSL协商:531毫秒

SSL Negotiation: 531 ms

查看数据包捕获，我可以看到，在最初的TCP握手之后，客户端开始了握手，然后服务器花了很长时间才能将所有必需的数据发送回去(ServerHello，Certificates ...).这些数据需要5个数据包，并且由于各种TCP魔术和操作系统调整，最后一个数据包仅在得到先前数据包的确认后才发送.详细地讲，此TCP魔术可能是TCP缓慢启动，使用您使用的CentOS版本的固定初始拥塞窗口为4(请参阅

Looking at a packet capture I can see that after the initial TCP handshake the client starts the Handshake and it then it takes a long time for the server to send all necessary data back (ServerHello, Certificates...). These data need 5 packets and due to various TCP magic and OS tuning the last packet will only be send once it got the acknowledgements for previous packets. In detail this TCP magic might probably be TCP slow start with a fixed initial congestion windows of 4 with the CentOS version you use (see https://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/).

您可以做什么:修复证书链.如果您查看 SSLLabs报告，您将请参阅链接问题:包含锚点"，这意味着即使客户端将忽略根证书，您也将发送根证书，而是使用客户端内置的受信任CA(信任链必须从本地信任中构建！).如果通过删除此根证书来修复配置，则服务器发送的数据将更短，并且不会遇到启动缓慢的问题.

What can you do: fix you certificate chain. If you look at the SSLLabs report you will see "Chain issues: Contains anchor" which means that you send the root certificate even though the root certificate will be ignored by the client and instead a trusted CA built into the client is used (trust chain must be built from local trust!). If you fix your configuration by removing this root certificate the data sent by the server will be shorter and you will not run into the slow-start problem.

这篇关于使用Apache 2.4 OpenSSL 1.0在Linux CentOS上提高SSL速度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！