WebPagetest Forums
OCSP Issue - Printable Version

+- WebPagetest Forums (https://www.webpagetest.org/forums)
+-- Forum: WebPagetest (/forumdisplay.php?fid=7)
+--- Forum: Bugs/Issues (/forumdisplay.php?fid=10)
+--- Thread: OCSP Issue (/showthread.php?tid=15423)

OCSP Issue - Webnauts - 06-29-2018 03:03 AM

We have OCSP enabled. Why do we get this reported in our tests? https://monosnap.com/direct/uW9WbWcjPjzVnTvj21OF7v2KfI9iyu

Any help would be very much appreciated.

RE: OCSP Issue - dfavor - 06-30-2018 02:02 AM

What you're seeing normally occurs as an artifact from using NGINX + many other proxies/CDNs.

If you look closely, you'll see the OCSP probe has no effect on your site speed.

Not really a problem. You can safely ignore this.

If you must fix this, use straight up Apache, as Apache handles this differently than other proxies I've tested.

http://www.webpagetest.org/result/180629_F8_02eed2e623fb788ef7e56f9d4e5b6f6d shows a simple static site, with straight up Apache, no proxy or CDN or any other tech.

RE: OCSP Issue - andydavies - 07-09-2018 11:49 PM

I wonder if OCSP stapling isn'y configured correctly somewhere…

SSL Test says it's enabled - https://www.ssllabs.com/ssltest/analyze.html?d=rainvac.com - so you shouldn't see the OCSP check in the waterfall.

The status check WILL be having a small speed impact - in the waterfall you linked to it's 89ms or ~16% of TTFB.

If you can get OCSP stapling working correctly then the TLS negotiation time for the root request will reduce as it's part of that step

RE: OCSP Issue - akshayranganath - 07-10-2018 02:34 AM

I can comment on the OCSP stapling with respect to CDN. (responding back to Andy's comment earlier)

Even when OCSP stapling is enabled, a CDN may not always respond back with the staple. Typically, the work flow occurs as follows:
1. very first user makes a request. CDN responds without the staple.
2. CDN asynchronously makes a request and pulls down the cert verification status
3. for subsequent requests, the staple is included.

Browsers are supposed to work regardless of a CDN. So the optimization is to ensure that the request for staple verification does not break / slow down a website.

RE: OCSP Issue - dfavor - 07-12-2018 12:18 AM

Refer to my comments above.

This appears to be an NGINX artifact which can be ignored.

Fix seems to be... simply removing NGINX, which solve other problems too, like 502 errors.

RE: OCSP Issue - webdesires - 05-27-2020 09:00 AM

no this is not NGINX because we actually use "straight up apache" as you said, however the CDN MIGHT use NGINX however obviously we have no control over what they do or dont do.