Time Delay Between DNS Reply and FirstByte

I am new to the site and have found it useful to help see real world performance of browser performance with the web site. My site is a liferay portal with postgresql DB on real iron and it performs well. Have not load bombed it or fine tuned it yet but I will. There is a reverse proxy that does Certificate Offloading so SSL is only to the RP and it is just http internally. The RP serves other applications and has pretty heavy security configured. The site only runs TLS 1.0,1.1,1.2 with strong ciphers. (only and A on ssllabs to support IE). The RP protects many applications. Standard tight security build.

This is a HTTPS only site. I need to use either Apache 2.2 or 2.4. Started with Apache 2.2 (CentOS 6.6 OTB) and got the performance but noticed that with Chrome I get straight A’s on most sites. As soon as I tried IE from anywhere the TTFB score was now E-F. Not for even the TTFB, when ever a CDN (google JS) was used with HTTPS it was slow. I examined it carefully and understood it was all OCSP lookups from a slow Symantec CDN. Many response were 1+ seconds. I researched further and realised I would have to change to Apache 2.4 to support OCSP stapling believing that would solve the problem.

Reinstalled with Apache 2.4, tuned it up A+ on ssllabs but many IE’s and MS phones would not work so downgraded the ciphers and now only get an A-. Some gmail servers only get a C. Then started testing it here and my changes had improved the TTFB for IE for most versions (now C-D) but there was still a significant lag between DNS reply and TTFB. So I captured the packets (tcpdump) and downloaded it to Wireshark. As suspected IE was still doing OCSP checks back to the slow Symantec CDN. I checked the certs with external cert checkers and my OCSP stapling was valid and working. Reduced the time window of the stapling to 300 seconds. No change. The packet shows a valid OCSP staple presented but IE still goes off and checks wasting half a second. What am I missing? What else can I change to fix this.

My certs are only wildcards but for real they will be changed to EV’s with SAN’s. I know HTTPS is a pain but it is life now for what I do. If I back off and drop some stuff over HTTP I will reveal session cookies and open myself up for session hijacking. It is only IE that does this synchronous OCSP check. Most other browser check asynchronously.

Typical &39&ing MS. Only work well with their 9)7%. Thanks goodness they on the ground in death throws. Only nerves twitching. Just wish they would get it over with quicker.

Any ides would be appreciated.

If a browser does an OCSP check it will be blocking and synchronous. What OS were the IE tests being run on (or which location)? If it is < Vista then IE won’t support stapling.

Can you tell which certificate is being validated and how long your chain is? Is it possible that it is checking for an intermediate certificate that isn’t stapled?

Hey Thanks,
These test were was running out of Manchester, UK. Chrome is bullet fast because they use the Google way. The OCSP from Symantic’s Akami site is so slow. I will try other sites for different OS bases.

Thanks G