firefox +wptagent -- slow SSL negotiation times

We are migrating from wptdriver to wptagent. Firefox is experiencing very slow SSL negotiation times and the wptagent results are significantly slower than wptdriver. This does not seem to impact chrome.

I have tried various versions of Firefox from 58 - 61, so I suspect this is an issue with the agent and not the browser.

The public agents seem to have a similar issue. Here is a firefox result with the slow negotiation times:

Here is a chrome result set which does not have lengthy SSL connection times:

I suspect this may not be fixed?

If you are talking about the requests later in the waterfall, there’s a really good chance that is a reporting artifact from the mozilla logs for requests where the connection is established long before the request itself is actually sent (preconnect basically). The ssl negotiation itself is probably fast but there is no “end” in the log so it assumes it ended when the request itself was sent. You can probably verify with a tcpdump. I’ll see if there is anything I can pull out of the logs to show the real end time of the ssl negotiation. wptdriver didn’t rely on the mozilla logs and could parse the TLS streams directly so it didn’t have the same artifacts.

Some of them look valid due to the ocsp validation checks (which really explode when you have a lot of 3rd-party domains).

The 5-8 second ones look like times where something was pretty wedged with Firefox (maybe the main thread was busy or something). It’s all network activity that had delays during those times.

For the base page (what the linked issue was describing):

For wptdriver, try checking the “Clear SSL Certificate Caches” checkbox in the advanced settings tab. It looks like the “long” SSL negotiation times are entirely caused by the ocsp validation check which Chrome doesn’t do for DV certificates but Firefox does for all certificates.

For the wptdriver tests I am guessing that the revocation checks are cached in the Windows certificate cache. There is no similar cache for Linux but running wptagent on Windows should show the same caching behavior.