SSL handshake repeats during Web Page Test

Please refer to my WPT result

What is the expected behavior?
The domain venom-assets.edmunds-media.com is part of the TLS certificate for www.edmunds.com and any calls to it should be trusted after the initial handshake. i.e should happen only once at the beginning.

What went wrong?
around step #15, SSL handshake happens again for domain venom-assets.edmunds-media.com.
The request is for font data
https://venom-assets.edmunds-media.com/edmunds-icons.d6c6f44127d52a92cde986b1cbc4bcd9.woff2

Chrome version: 67.0.3396.62 Channel: stable
OS Version: Linux

For webpagetest, issue occurs on Android too.

Welcome to “credentialed connection” hell. Fonts are considered non-credentialed and are requested on an “anonymous” connection. From Chrome and Firefox’s perspective that means using a completely separate connection where cookies are never sent.

You can see some of the discussion around it here: CORS Anonymous requests complicates preconnect · Issue #32 · w3c/resource-hints · GitHub

There is active discussion around getting rid of the second-connection requirement but it’s still the case right now.

I THINK (needs verifying) that if the fonts are from the same origin as the page then it may re-use the same connection but once it crosses origins it bumps into the CORS anonymous requirement.

Thanks Patrick. I also opened a ticket with Chrome dev. Adding it here for details from their side.

https://bugs.chromium.org/p/chromium/issues/detail?id=850143

A very peculiar waterfall.

Just looking at the top of the waterfall…

#1 + #2 - external OSCP sites get hit.

#3 + #4 - show some assets being hit prior to the HTML component (#5) completing.

All the other SSL handshake (as Patrick mentioned) get hit when any offsite reference occurs.

I’d start by removing NGINX from the mix + get your Apache + HTTP2 working correctly, as HTTP2 is off for this site.

Also, check your SSL setup at the Apache level.

Once all’s well, then try running NGINX on another port + get it’s config working before inserting it again.

Maybe this waterfall signature is an artifact of recent NGINX versions.

Looks like you’re running NGNIX-1.8.1 + other recent WPT pages show a similar waterfall… like…

Which is also running NGINX with no version number exposed.

Notice with this other WPT report…

#1 + #2 - external OSCP sites get hit, same as your waterfall.

Contrast this to a random WordPress site running straight Apache with a highly optimized HTTP2 TLS stack + optimized assets…

Very different waterfall.

Just looks… a bit odd…

The OCSP requests are cert revocation checks because of EV certificates. The only way to eliminate both of them is to use DV certs instead of EV certs. You can get rid of one of them by enabling OCSP stapling on the server.

Hi dfavor
#3 is actually our main content download.
Also we are set up for HTTP/2. You can confirm this by entering the site at HTTP/2 Test - Verify HTTP/2 Support | KeyCDN Tools
Getting off NGINX is not a decision we can take lightly. Do you have some more info/references on why Apache+http/2 is better than nginx+http/2?