Hi,
I’ve set up a ssl_certificate and ssl_certificate_key directives on the
http level of my nginx configuration. The problem I’m facing is that
starting/reloading nginx is getting slower and slower as more hosts
(server directives) are added. The server has roughly 1000 SSL-enabled
hosts that inherits the ssl certificate directives.
I know nginx verifies the certificate when loading it, so I’m wondering
if nginx checks the certificate each time an SSL enabled host inherits
the shared certificate? If so, shouldn’t it only check the certificate
once? According to
Configuring HTTPS servers it should
cause all hosts to inherit a single memory footprint, but this doesn’t
seem to be the case.
If this is a bug in nginx it may be an idea to completely disable
certificate verification if possible?
Any advice is highly appreciated.
Best,
Rune
Posted at Nginx Forum:
Hello!
On Wed, May 18, 2011 at 08:40:15PM -0400, runesoerensen wrote:
the shared certificate? If so, shouldn’t it only check the certificate
once? According to
Configuring HTTPS servers it should
cause all hosts to inherit a single memory footprint, but this doesn’t
seem to be the case.
If this is a bug in nginx it may be an idea to completely disable
certificate verification if possible?
Any advice is highly appreciated.
Quick look suggests that time is taken mostly here in
ngx_http_ssl_module.c:
/* a temporary 512-bit RSA key is required for export versions of
MSIE */
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
As export versions of MSIE are rare and hardly supported nowadays
anyway, you may want to just nuke this code as a workaround.
I’ll take a look at this further as time permits.
Maxim D.
Hi Maxim,
Thanks for looking into this - I may apply the fix you propose sometime
in the future.
The solution I ended up with was kind of weird. I simply put the
ssl_certificate related directives inside a “faux” server directive,
that’s also the first server directive containing ssl directives. As
nginx picks the first one it finds, the correct certificate is still
being inherited by other server directives. This caused the startup time
to be drastically reduced.
Rune
Posted at Nginx Forum:
Hello!
On Tue, Jul 26, 2011 at 10:48:49PM -0400, runesoerensen wrote:
to be drastically reduced.
Just FYI: Igor recently committed a change to generate temporary
512-bit RSA keys on the fly and only when needed. This should
resolve problems with slow startup in all cases.
Maxim D.