2

Houston, I have a problem.

I have an instance of Apache (httpd) on one machine using mod_ssl with openssl and mod_jk pointing at several tomcat instances on other physical machines. Apache is really the only thing running on this box.

It is configured to use separate processes per connection to isolate them and set up to use /dev/urandom for startup and builtin for connect.

Requests processed throughout are lightning fast. The problem I am getting is slowness of the SSL handshake.

Looking at a tcpdump, there are instances of the server receiving bytes from the client (assuming this is trying to establish the SSL connection), but Apache (mod_ssl) does not respond. The client tries again ~3 seconds later, and gets no response. This can repeat several time before actually sending the certificates.

After the handshake is successful, it works smoothly. The problem is that browsers are not retrying frequently enough for the user to get a response quickly and the users are claiming "system slowness."

I need to figure out why Apache (or mod_ssl) is simply ignoring or taking forever to process the requests for certificates. Any ideas?

Thanks in advance.

Andy
  • 142
  • 7
  • Can you update your question with the relevant bits of the httpd.conf? Can you confirm (via netstat, logs, etc.) that's it's the apache instance you expect that's actually listening on the https port? – cjc Jun 04 '12 at 16:35
  • httpd is listening on the correct port. I forgot to mention that this problem is intermittent... sometimes it works correctly and responds to the cert request and sometimes it doesn't. About 20% +/- 5% of requests are experiencing this problem. – Andy Jun 04 '12 at 16:39

1 Answers1

1

Could it be that you're trying to do a reverse resolution?

I'd check this with tcpdump -ni eth0 port domain (adapt eth0).

There are plenty of different reasons leading to reverse lookups in Apache, so if that's the issue we can keep digging.

Pierre Carrier
  • 2,617
  • 18
  • 28