Re: Extra RTT on large certificates (again?)

2017-05-23 Thread Albert Casademont
Thanks, makes perfect sense :) On Tue, May 23, 2017 at 7:56 PM, Maxim Dounin wrote: > Hello! > > On Tue, May 23, 2017 at 06:44:27PM +0200, Albert Casademont wrote: > > > Hi Maxim, > > > > Yes, as we were already compiling our own nginx we apply a patch in > openssl > > before compilation increas

Re: Extra RTT on large certificates (again?)

2017-05-23 Thread Maxim Dounin
Hello! On Tue, May 23, 2017 at 06:44:27PM +0200, Albert Casademont wrote: > Hi Maxim, > > Yes, as we were already compiling our own nginx we apply a patch in openssl > before compilation increasing the buffer size to 5120 bytes as a workaround. > > As for the patch, we already had "tcp_nodelay

Re: Extra RTT on large certificates (again?)

2017-05-23 Thread Albert Casademont
Hi Maxim, Yes, as we were already compiling our own nginx we apply a patch in openssl before compilation increasing the buffer size to 5120 bytes as a workaround. As for the patch, we already had "tcp_nodelay on" set in our http {} config and we kept seeing the extra RTT, is this a different sett

Re: Extra RTT on large certificates (again?)

2017-05-23 Thread Maxim Dounin
Hello! On Mon, May 22, 2017 at 10:34:11PM +0200, Albert Casademont wrote: > Seems like the openssl devs are aware of the issue and welcoming PRs, AFAIK > nothing's been done yet. > > https://mta.openssl.org/pipermail/openssl-users/2016-November/004835.html Thanks for the link, it confirms what

Re: Extra RTT on large certificates (again?)

2017-05-22 Thread Albert Casademont
Seems like the openssl devs are aware of the issue and welcoming PRs, AFAIK nothing's been done yet. https://mta.openssl.org/pipermail/openssl-users/2016-November/004835.html On Mon, May 22, 2017 at 10:09 PM, Albert Casademont < albertcasadem...@gmail.com> wrote: > Hi Maxim, > > Thanks for the p

Re: Extra RTT on large certificates (again?)

2017-05-22 Thread Albert Casademont
Hi Maxim, Thanks for the prompt response. Yes, we're using Openssl 1.1.0e at the moment...That is unfortunate, what would you suggest doing? Report this to the openssl devs? An extra RTT is quite painful. Best, Albert On Mon, May 22, 2017 at 9:27 PM, Maxim Dounin wrote: > Hello! > > On Mon, M

Re: Extra RTT on large certificates (again?)

2017-05-22 Thread Maxim Dounin
Hello! On Mon, May 22, 2017 at 08:15:43PM +0200, Albert Casademont wrote: > Hi, > > A few years ago a bug was reported on the extra RTT caused by large > certificates (https://trac.nginx.org/nginx/ticket/413). Doing some routine > testing I see that this behaviour is also present in at least ngi

Extra RTT on large certificates (again?)

2017-05-22 Thread Albert Casademont
Hi, A few years ago a bug was reported on the extra RTT caused by large certificates (https://trac.nginx.org/nginx/ticket/413). Doing some routine testing I see that this behaviour is also present in at least nginx 1.12 and 1.13. Is it possible that the bug has reappeared? The threshold for the ex