Not sure if the improvement is happening on server side or host side however here's what we see: Using these settings (which I believe are PCI compliant) our average SSL negotiation was 300ms using the http://tools.pingdom.com/fpt/ test tool: SSLProtocol -SSLv2 +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH Using these settings our average time dropped to 200ms: SSLProtocol (same as above) SSLCipherSuite kRSA:!kKRB5:!aNULL:RC4:!eNULL:MD5:!SHA1:!DES:!3DES:!RC2:!SSLv2 These last settings restrict HTTPS to just RSA key exchange, RSA authentication, RC4 encoding and MD5 hash function which resulted in best performance according to the (not dated) WebSphere performance chart at link below. The following browsers passed without complaint: Windows7 (IE9, FF8, O11, Chrome16), iPhone4s Safari. I'm not sure if these settings cause older browsers to cough. As the Apache documentation says, it helped me to play with the OpenSSL settings to see which values Apache will use like this (at Linux command line): $ openssl ciphers -v 'kRSA:!kKRB5:!aNULL:RC4:!eNULL:MD5:!SHA1:!DES:!3DES:!RC2:!SSLv2' Here's the performance chart: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/rprf_ssl.html Thanks, Geoff Millikan http://www.t1shopper.com/ PS. I'm no SSL/TLS guru - I'm just fiddling with settings and testing but I wanted to share our results in the hopes it might help your site but your mileage may vary. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|