I’ve noticed increased secure connection latency between DNS lookup and Initial Connections on many (but not all) of our HTTPS requests since about Jan 6th for our subdomains and 3rd parties alike.
Before - http://www.webpagetest.org/result/140106_XY_J9M/8/details/
After - http://www.webpagetest.org/result/140120_11_ME6/8/details/
I’ve done some research and found that there’s been a big shift in the industry from 1024-bit encryption to 2048-bit encryption between late 2013 and now. We’re using 2048-bit encryption on our web servers. I know encrypting a longer key takes more time and CPU. Is it possible the test agents we’re using through WPT are getting CPU bound? I can’t figure out where this timing gap is coming from between DNS Lookup and Initial Connection all of the sudden.
We’ve checked our web servers and their CPU thresholds are fine. However we’re still seeing recurring HTTPS connection latencies that are pushing out Fully Loaded Times by 1.2+ secs recently.
Any thoughts are greatly appreciated.
Our support folks are still racking their brains on this issue. They’re suggesting that it may be any of the following:
- an issue or change on the WPT side with how the IE-10 connection tasks are displayed in the waterfalls
- a change in how IE-10 handles 2048-bit encryption (not likely for this timeframe though)
- possible CPU/memory issues with the test agents
Have you had a chance to look at the test results in original post or have any suggestions on what’s going on? We’re really interested in knowing what the time delays are that are increasing our load times.
Try turning on “Ignore Cert Errors” and see if the performance changes back to what you’d expect. The only change that I see in the history in that date range that seems likely to have impacted was this one: Changed the wptdriver cert ignoring to only kick in if explicitly req… · WPO-Foundation/webpagetest@02e4dbd · GitHub
Prior to the change, the IE 10+ agents were always ignoring cert errors and doing it by stubbing out the chain validation (which probably included OCSP checks). Now it is only stubbing it out when explicitly requested.
I went ahead and reran a set of IE-10 tests ignoring certificate errors and the median time is back down to our normal range, which means now we know why the load times changed (the default behavior of the IE 10+ agents has changed).
However, I had recently checked all of our secure domain calls in the waterfalls with an SSL Checker, http://www.sslshopper.com/ssl-checker.html, and all the certs/chain validations checked out fine.
So, does checking the “ignore cert errors” box mean that the tests will not perform any chain validation/OCSP checks at all OR do we actually have cert errors on our page that the SSL Checker utility doesn’t identify?
The “ignore cert errors” completely bypasses the validation/OCSP, not just if errors are found which is why there’s a performance difference between the two.
Ok thanks. Since we’re striving to re-create tests as close to “actual customer experience” as possible, we’ll use the new IE 10+ default behavior and let the validation/OCSP execute, re-baseline our load times and explain the adjustment to our business stakeholders.
Thanks for providing such a great WPO tool!
Any way of showing the validation/OCSP activity in the waterfall for IE 10+ (like FF does)? I presume that’s what the blank time gaps are between some of the DNS Lookup and Initial Connection tasks for secure domain requests or is that something else?
Looking into it. It looks like the validation for IE is done out-of-process from the browser so I don’t see the requests.
Is there another way to decipher what’s going on underneath the hood at these times (between DNS and Initial Connection)? I see an option on the Advance tab for tcpdump (I’ll try that and get back to you), but haven’t used it before in WPT. I have looked at some WireShark tcplogs from my local machine a while back - maybe the outputs are similar? I’m trying to target some optimization efforts at the connection related requests to improve TTFB, SSL negotiations times, etc. and reduce page load times further (unless you see other lower hanging fruit opportunities in the waterfall to focus on).
IE10: http://www.webpagetest.org/result/140210_AY_MZF/4/details/ (need more visibility into connection time gaps)
IE11: http://www.webpagetest.org/result/140210_B8_MZJ/7/details/ (doesn’t show much detail in waterfall or request details to understand what’s going on with this browser version)
Chrome: http://www.webpagetest.org/result/140210_0D_MZM/9/details/cached (shows 1+ sec longer Fully Loaded Time in summary table vs. Waterfall or Request Details sections?)
Any guidance in applying WPO with the varying levels of detail between the different browser results listed above would be greatly appreciated.