Website Test Results - SSL Negotiation Question

I’ve been running some benchmark tests of several sites for a couple weeks. I noticed that the First View SSL Negotiation times have decreased drastically for differing HTTPs calls from all site tests after March 8th using Dulles, VA - IE 8 - Cable. Each site has seen improvements in some but not all internal HTTPS calls and external HTTPS calls to x+1, doubleclick and several others - too many to be just a coincidence.

Here’s some examples for one such site:
3/1 http://www.webpagetest.org/result/130301_TH_1235/10/details/
3/4 http://www.webpagetest.org/result/130304_CT_J7N/2/details/
3/8 http://www.webpagetest.org/result/130308_2C_MXJ/8/details/
3/11 http://www.webpagetest.org/result/130311_WE_FPM/4/details/
3/12 http://www.webpagetest.org/result/130312_KD_13E5/2/details/

I’ve since run similar tests for some of the sites from 6 of the 7 U.S. locations and the SSL Negotiation times HAVE NOT varied by much from any of the other locations except Dulles, VA. Any idea what could be the cause of this decrease in SSL Negotiation times?

Any help is greatly appreciated,

Jeff

With the 2.10 release I changed the default behavior for clearing the OS certificate caches.

Somewhere around 6 months ago I started clearing the OS certificate caches which cased SSL negotiation times to go up significantly for the IE agents that were running on Windows Vista or later (IE on XP does not do CRL/OCSP checks).

There was quite a bit of push-back because it was clearing all of the certificates, including the certs from the root providers so IE was validating things like verisign’s root cert which is something that will hardly ever happen to end users.

The real world lies somewhere in between but I don’t have a way to just clear the leaf certificates and it was skewing site’s performance enough that it was hiding other issues so I made it an option on a per-test basis and it is disabled by default (it’s available in the advanced settings if you want to re-enable it for a given test).

Was that change something that took place since 3/8?

Yes, sorry, it was actually after the 2.10 release. 3/8 at around 1:45PM ET

Okay, thanks for the prompt response. I’m thinking we should run tests with an without SSL Certificate Caches cleared and use the median.

That would be my recommendation. It’s worth looking at the cost for OCSP checks, etc every now and then but I’d pay more attention to the site with the certs cached.

Thanks for the confirmation. We’ll incorporate some less frequent tests that examine OCSP checks. One last question related to this thread - Should I expect shorter SSL negotiation times since the 2.10 release at the other U.S. locations as well?

It depends on the OS they are running. I believe most locations are on Server 2003 or XP and would not have been doing the OCSP/CRL checks.