How leave SSL faster?
How leave SSL faster?
Hello,
How leave SSL faster?
In webpagetest.org SSL Negotiation is too slow.
/etc/nginx/nginx.conf
Use http2:
/home/user/conf/web/snginx.conf
nginx version: nginx/1.10.1
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
ALPN is not supported.
Thank you so much.
How leave SSL faster?
In webpagetest.org SSL Negotiation is too slow.
/etc/nginx/nginx.conf
Code: Select all
# SSL PCI Compliance
ssl_session_cache shared:SSL:30m;
ssl_buffer_size 8k;
ssl_session_timeout 20m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/dhparams.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
/home/user/conf/web/snginx.conf
Code: Select all
server {
listen 00.00.000.000:443 ssl http2;
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
ALPN is not supported.
Thank you so much.
Re: How leave SSL faster?
And some article about this topic
https://blog.cloudflare.com/how-cloudfl ... -ssl-fast/
https://blog.cloudflare.com/how-cloudfl ... -ssl-fast/
Re: How leave SSL faster?
My server is http2, newer than spdy. I can not really go back to spdy.
In my case, install OpenSSL 1.0.2h could leave faster:
https://www.keycdn.com/support/alpn/
But the problem is to install. :/
Thank you.
In my case, install OpenSSL 1.0.2h could leave faster:
https://www.keycdn.com/support/alpn/
But the problem is to install. :/
Thank you.
Re: How leave SSL faster?
How do you create the certificate chain for the line ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;skurudo wrote:Try this parts:
https://github.com/skurudo/nginx-a-plus-config-parts
-
- Posts: 19
- Joined: Wed May 11, 2016 8:13 pm
Re: How leave SSL faster?
I will give you what I think it's the fast configuration so far, this only works on nginx
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_buffer_size 4k; #This is Very important for a consistent speed bump in latency
add_header X-Cache $upstream_cache_status;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
The last line about header strict-transport is only needed if you want to force SSL.
With this configuration you will alleviate a lot of the performance issues plus this configuration will give you an A+ on SSL Qualy labs, enjoy
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_buffer_size 4k; #This is Very important for a consistent speed bump in latency
add_header X-Cache $upstream_cache_status;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
The last line about header strict-transport is only needed if you want to force SSL.
With this configuration you will alleviate a lot of the performance issues plus this configuration will give you an A+ on SSL Qualy labs, enjoy
Re: How leave SSL faster?
Comodo (PositiveSSL)Felix wrote:How do you create the certificate chain for the line ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;skurudo wrote:Try this parts:
https://github.com/skurudo/nginx-a-plus-config-parts
Code: Select all
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > comodo.pem
Code: Select all
cat www.youdomain.com.p7b www.youdomain.com.ca-bundle > geotrust.pem
...
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/comodo.pem;
...