SSL Certificate Performance

Question

Is it possible that a cheap security certificate could inhibit the performance of a website when serving pages over https?

Background: I have built an e-commerce website using Drupal 7 and Drupal Commerce. The site runs on an m3.xlarge Amazon EC2 Instance and everything has been performing very fast and efficiently until last weekend.

Last weekend saw a large spike in traffic over normal levels (bank holiday weekend), which saw up to 50 concurrent users on the site . The non-secured pages performed fast, however, when a user went from a http page (eg: the basket page) to a secured https page (checkout page), the site became very slow and in some cases crashed. As a test, removing the switch to https maintained the performance of the site and got it back up and running.

Questions:

Could the cheap SSL certificate have a hand in this issue?
Are there advantages in speed depending on the type of certificate purchased?
Does it sound like it could be an Apache configuration error?

Cheaper certificates may have longer delegation chains - but this will just cause a relatively small additional latency on first connect. The algorithm can have an impact - the Ephemeral Diffie-Hellman ciphers aer horrendously slow (openSSL now has improved versions of these which go a lot faster). — symcbean, May 07 '13 at 15:26

score 3 · Answer 1 · answered May 07 '13 at 14:42

Generally speaking, no, SSL performance is not linked to the price (or quality) of the certificate.

One specific exception that needs to be made is the CRL/OCSP distribution point that should be included with the cert. This is the property that indicates to the client where it should go to check if the certificate has been revoked or not.

If that option is enabled on the client (which is not the usual default), then in order to accept the certificate for the first time a separate request will have to be make to the OCSP server or CRL distribution point. Sine these are controlled by the CA, a poorly performing server will impact your users. However, since this is a) not generally enabled and 2) only happens for the first connection and until the cache expires (typically, 24 hours) it shouldn't have much of an impact on your own web site performance.

One thing you should keep in mind, however, is that enabling SSL - no matter what CA you use - will have a rather large impact on performance: it will bypass many caching mechanism (including many CDNs), will break load balancing to some extends and require far more CPU and memory resource per users from your server. For a server with low user count like yours, however, it shouldn't have much of an impact unless your system is badly undersized.

score 2 · Answer 2 · edited May 23 '17 at 11:33

2

Your certificate will make no difference to the speed of your HTTPS pages.

What will make a difference, however, is the overhead caused by SSL itself - see this answer for more information.

You can mitigate this by having more power available (i.e. more vCPUs) or altering the cipher set used to favour more efficient ciphers. I use the following on my Apache servers and have noticed a small (but noticeable) performance increase:

SSLCipherSuite RC4+RSA:+HIGH:+MEDIUM:+LOW

edited May 23 '17 at 11:33

Community

1

answered May 07 '13 at 14:39

Craig Watson

9,575
3
32
47

how does one have a "small (but significant) performance increase"? – tony roth May 07 '13 at 15:37
@tonyroth Well, a 10% difference would be small but significant to many, whereas a 0.01% difference would be small but insignificant. – ceejayoz May 07 '13 at 16:23
yep its all relative isn't it. :) – tony roth May 07 '13 at 17:57
@tony - fair point, I meant that the performance increase was small but noticeable! Answer edited :) – Craig Watson May 07 '13 at 19:53
Eek, please don't turn on the `LOW` ciphers. There should be no reason for that, most services should work great with `+HIGH:-MEDIUM:-LOW`. – Shane Madden May 08 '13 at 04:51

SSL Certificate Performance

2 Answers2