KeepAlive over HTTPS fails

graphicsxp · January 16, 2017, 12:48pm

Could someone explain why KeepAlive fails for all requests to ocsp.comodoca.com ? Actually I’m not sure what these requests are about, a part from the fact it has to do with my SSL certificate provider.

Sometimes if I re-run the test, KeepAlive works.

Here’s the test result :

https://www.webpagetest.org/result/170116_8Q_60e80e0015aebbe19d5ee876ff413024/1/performance_optimization/

I believe this is the reason for my GRADE F for TTFB. If I don’t use HTTPS, I never have this problem.

[EDIT]

After contacting Comodo support team, here’s their reply. Is WebPageTest really an unreliable site to test site latency ?

[i]Hello,

Thank you for your email, unfortunately you are using an unreliable site to test your latency on your site. We do not assist with performance issues on your site. We have tested your site using a more reliable provider which shows your site to be A+.

https://www.ssllabs.com/ssltest/analyze.html?d=www.pretty-story.com

If you need assist with optimizing your performance of your site you will have to speak with a server administrator or your hosting company. As an ssl certificate will not slow down your site.[/i]

pmeenan · January 16, 2017, 3:25pm

KeepAlive will only fail if more than one request was made to the target domain during the page load. It is probably intermittent because sometimes a 3rd-party ad or something like that also needs validation and sometimes it doesn’t.

And yes, the OCSP verification check will absolutely cause TTFB to fail. The best you can do to avoid the validation check is to staple the OCSP checks as part of your server config so the validation will come down with the certificate. This is probably way more information than you ever wanted on TLS performance but it is a good read (the whole book actually): Networking 101: Transport Layer Security (TLS) - High Performance Browser Networking (O'Reilly)

Some versions of IE on some OS’s will not use stapling though so you won’t be able to eliminate it entirely.

As far as SSL Labs goes, that doesn’t have anything to do with performance, just the security of your certificate configuration. There IS an entry in the report that tells you if OCSP Stapling is enabled (no in this case) but it isn’t part of the grade.

graphicsxp · January 16, 2017, 3:39pm

wow! very interesting stuff here. I didn’t know about OCSP Stapling. Will definitely look into that.

Yes, I know that SSLLabs does not check anything about performance, that’s what I replied to comodo support.

thanks !

Topic		Replies	Views
OUCH! No persistent connections + SSL Discuss Test Results	3	105	February 24, 2010
high SSL negotiation time on each request Optimization Discussions	6	128	November 25, 2013
How to fix keep-alive and cache staticdsadas Discuss Test Results	3	95	March 12, 2013
reports keepalive as off? Private Instances	2	86	July 6, 2010
IE keep-alive = F \| Firfox keep-alive = A Discuss Test Results	4	96	September 14, 2012

KeepAlive over HTTPS fails

Related Topics