Intermittent SSL Negotiation Delays or Slowness

I am getting intermittent slowness for SSL Negotiations. I don’t know where to even start debugging this. Any help is greatly appreciated.

Here is the result of 5 test runs:
Dianna Houx Coaching Test

As you can see, initial SSL negotiation for runs 1 and 2 are pretty fast. But 3, 4, and 5 are amazingly slow.

You can also see various resources that have abnormally long (and seemingly random) delays in SSL negotiation.

I don’t know how to go about diagnosing the cause of this.

I’m using Let’s Encrypt with Certbot. Is this related to any known issues with Let’s Encrypt. If Let’s Encrypt has performance problems, I will consider just buying a certificate.


It shouldn’t have anything to do with Let’s Encrypt or Certbot, those just get the certificate onto the server. The actual TLS negotiation is between the server and browser and independent of the CA (at least when not using EV certs). That looks like a transient network or server problem where it either rate-limited the connections or something caused the server to pause for a second during the negotiation.

Thank you for the response!

So based on what you said, I looked at my apache2 modules to see if maybe there was a module enabled that does rate-limiting. I don’t see anything to that effect, and I’m pretty sure I would remember if I had enabled a rate-limiting module. (But I could have forgotten and just not be seeing it. :P)

It’s a fairly typical base Apache/2.4.18 install on ubuntu 16.04.6 LTS.

The server runs in Amazon EC2, so I find it hard to believe it’s a network issue. But I’m sure you know some things I don’t!

When the TCL handshake occurs, I presume the client initiates a single socket connection to the server and the the handshake is negotiated over that socket, yes?

I suppose one way to prove whether or not its a general rate-limiting issue would be to disable SSL and see if there are connection delays on vanilla HTTP. I’ll try that first.
Ok, well your response was definitely helpful!

I disabled SSL and tested the site over HTTP.

Here are the results:
Dianna Houx Coaching without SSL Results

The same intermittent delays that last nearly two seconds still occur, but they show as ordinary resource delays now.

Clearly the problem is NOT SSL.

It definitely seems like a rate-limiting issue. It looks like a new connection is accepted and then the server just sits there and decides to wait before sending any actual data.

Hmmm :huh:

I can see how this could technically be a transient network problem. But dang… how would I figure out if that’s the cause? And if it is, then what do I do? Move my site to a different data center? Or a different host even?

:idea: I could move to a different Amazon datacenter! That seems like a last resort test, but it’s an option.