Thread: Forum extremely slow to load(??)
View Single Post
Old 15-10-2017, 02:04 PM   #44
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 106,550
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default Re: Forum extremely slow to load(??)
OK. Let's get some science behind this. Let me make it clear that this is not an issue at our server end otherwise it would be consistent across users.

There are a number of things server side that can cause slow TLS negotiation and these are looked at below.

1. Certificate Chain length. Cheaper SSL certs are often 3 or 4 deep in the chain but we chose Comodo as it is a first level certificate provider. To verify this, most desktop web browsers allow you to view a site’s certificate, including certificate chain length. For example, in Chrome, simply click on the padlock/HTTPS area of the address bar, click the “Connection” tab, and click “Certificate Information”.
Note:You might find that your antivirus software is actually listed as the issuer of the certificate (Bit Defender does this) as per the example below.



A chain configuration check for AFF returns the following:




2. Data Encryption. A decade ago, TLS data encryption added significant overhead to page loads however support for certain ciphers in CPUs has eliminated this issue provided the right cipher is used by the server. The consensus from both security engineers and administrators that run large TLS websites is to use AES 128 bit encryption keys. This is what we use for AFF.

3. TLS Handshake. The TLS handshake is the process that the browser and server follow to decide how to communicate and create the secured connection and this is the area where most performance issues are caused. A full TLS handshake involves 2 round trips between your browser and the AFF server and a faster internet connection doesn't make those round trips any faster. This handshake will typically take between 250 milliseconds and half a second, but it can take longer.

Half second might not sound like a lot of time but the main problem with the TLS handshake is not how long it takes, it is when the handshake happens because they happen before any data can be exchanged.

This can be fixed for browsers that don't hold state if we enable TLS resumption on our end. Basically, TLS session resumption allows a client to say, "Hey server, we communicated a little while ago and did so using the following TLS options… Is it OK to start talking again using those same options?"

I'll see if I can work out how to enable it.

Cheers
Russ
__________________

__________________________________________________

Observatio Facta Rotae


russellw is offline  
3 users like this post: