https SSL 握手时间过长,大于 3 秒

2020-05-18 17:19:01 +08:00
 constructor

使用 Let's Encrypt 证书,在阿里云 ECS Nginx 开启 https 。

网站首次打开 waterfall 如下,紫色部分 SSL 花费时间太长了,可能的原因是什么?怎么解决?

1. Waterfall

2. 首页 waterfall 详情

网站绝大部分时间都花在了 SSL 部分了。

5502 次点击
所在节点    程序员
14 条回复
jaylee4869
2020-05-18 17:23:43 +08:00
看一下 conf
jaylee4869
2020-05-18 17:26:37 +08:00
curl 网站 https 地址 -vvv
Tink
2020-05-18 17:28:34 +08:00
上 cdn
rrfeng
2020-05-18 17:38:33 +08:00
估计是 CA 验证在国外导致的,nginx 配置一下 ocsp stapling 吧。
jacklin96
2020-05-18 18:06:43 +08:00
OCSP 域名被污染了,需要换证书或者客户端翻墙
可能直接换证书最快
加 OCSP Stapling 也不一定有效
constructor
2020-05-18 18:44:09 +08:00
@jaylee4869

### 1. ngxin.conf 配置如下

```conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
```

### 2. 网站 dev.example.com 配置如下:

```conf
server {
listen 80;
listen [::]:80;

server_name dev.example.com;

location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://112.74.113.106:8090;
}

listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
```conf

### 3. curl -vvv https://dev.example.com 输出如下:

```conf
* Rebuilt URL to: https://dev.example.com/
* Trying 112.74.90.77...
* TCP_NODELAY set
* Connected to dev.example.com (112.74.90.77) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.example.com
* start date: Apr 29 13:04:41 2020 GMT
* expire date: Jul 28 13:04:41 2020 GMT
* subjectAltName: host "dev.example.com" matched cert's "*.example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: dev.example.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 18 May 2020 10:38:26 GMT
< Content-Type: text/html
< Content-Length: 2878
< Last-Modified: Sun, 17 May 2020 10:44:30 GMT
< Connection: keep-alive
< ETag: "5ec1158e-b3e"
< Accept-Ranges: bytes
```

* 域名和 IP 进行了替换,还请谅解。 *
constructor
2020-05-18 20:22:40 +08:00
@jacklin96
"更换证书"是指换其他 CA 比如 Symantec 、GlobalSign 、GeoTrust 还是用 Let's Encrypt 重新生成证书?
n329291362
2020-05-18 20:43:59 +08:00
let's encrypt 的证书 服务端配置一下 ocsp stapling 吧
或者买其他家的证书 就是买 Symantec 、GlobalSign 、GeoTrust 之类的
cy476571989
2020-05-18 21:04:21 +08:00
我也有同样的问题。
lanternxx
2020-05-18 21:26:13 +08:00
开一下 ocsp 装订试试 虽然我觉得可能没用 chrome 应该是不检查 ocsp 的
xiaotianhu
2020-05-18 22:46:56 +08:00
ocsp 服务器坏了

被迫换了阿里云免费证书。
constructor
2020-05-19 09:41:50 +08:00
OCSP 服务器连接不上, ping ocsp.int-x3.letsencrypt.org 超时

通过 openssl 验证超时:

```
openssl ocsp -issuer fullchain.pem -cert cert.pem -text -url http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: 25AA0A105713B51AB5A49554679566211FA63FCF
Serial Number: 03638E20AC5D648DA7DB51EA00638CFAEF33
Request Extensions:
OCSP Nonce:
0410053BDB6861C216D9924BC81A9295430F
Error connecting BIO
Error querying OCSP responder
4733388396:error:02FFF03C:system library:func(4095):Operation timed out:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:244:host=ocsp.int-x3.letsencrypt.org:80
4733388396:error:20FFF067:BIO routines:CRYPTO_internal:connect error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/bio/bss_conn.c:247:
```
jacklin96
2020-05-19 10:35:13 +08:00
@constructor 换其他 CA 就行,国内目前只能远离 Let's Encrypt
BitCert
2020-05-19 12:38:19 +08:00
LE 现在不稳定

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/672952

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX