I have a problem with Apache server. The initial SSL handshake takes about 5-7 seconds which is horrible. After that the response time is in miliseconds - but the messages must be sent right after the first one or the handshake will be done again after a few seconds of inactivity. Is there any way to speed it up with Apache configuration?
2 Answers
This is with some Linux distro, right?
Is this server mostly idle? Perhaps Apache is shoveling randomness from /dev/random. That can be sometimes very slow, since /dev/random requires "real" randomness; stuff like moving the mouse, using the keyboard and network traffic gather the entropy. If the kernel entropy pool is nearly empty, processes requiring randomness tend to stall for a (long) while.
Should this be the situation, cat /proc/sys/kernel/random/entropy_avail should be near zero during SSL handshake.
You may switch the randomness source to /dev/urandom by using SSLRandomSeedApache directive, but be warned, this is theoretically not as secure as /dev/random.
Other solution is to use daemon like rngd (available from rng-tools package in many Linux distros) which fills up entropy pool.
- No change with
/dev/urandom. I don't haverng-toolsandtcpdumpfrom the post below available and because I'm not the server's admin I can't install it.Tom– Tom2011-06-15 12:32:34 +00:00Commented Jun 15, 2011 at 12:32
Besides what Janne Pikkarainen said, check also if the server is not doing a DNS reverse lookup for SSL requests. Run a tcpdump -pi eth0 port 53.
