Slow browsing in HTTPS

Hello !

Code:

Distributor ID: Debian
Release:        10
Codename:       buster
Apache2 :     5.6.40-38
ISPConfig    3.1.15p2
Site madeleine.michelis-amiens.lyc.ac-amiens.fr:80

I am very slow on HTTPS sites for more than 24s to display the home page.
In HTTP mode madeleine.michelis-amiens.lyc.ac-amiens.fr:80 the site is displayed quickly in 1.1s1
I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.
So my browser spends 11 seconds looking for a configuration that works with my server.
I compared the configuration on the Ispconfig server and the site on https://ssl-config.mozilla.org/
I don't understand why in the configuration of a vhost on Ispconfig we have a hash debant # SSLCipherSuite with SSLHonorCipherOrder at on
Same speed insight page cannot test the page: https://developers.google.com/speed/pagespeed/insights/?url=https://madeleine.micheliamiens.lyc.ac-amiens.fr% 2 F
Thank you in advance for your answers.

 

Just visited the domain with https and it has no LE SSL certs but just self-signed certs?

 

SLM
there is indeed a certificate generated by Ispconfig via the panel. Attached capture.
Lycée Madeleine Michelis - Amiens (ac-amiens.fr



Cremos

 

Now it seems fixed.

 

Hello !
I am very slow on HTTPS sites for more than 24s to display the home page.
always with errors when verifying the certificate on ssllabs:
I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.

 

I think it comes from TLS1.3 support that I need to disable.
which configuration file do you want?

 

I did a test in the vhost in question by doing an Include /etc/letsencrypt/options-ssl-apache.conf
options-ssl-apache.conf:

Code:

# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on
# Intermediate configuration, tweak to your needs
# Désactiver les anciens protocoles non sécurisés
# -all supprime les autres protocoles SSL (SSL 1,2,3 TLS1) +TLSv1.2 ajoute TLS 1.2
#SSLProtocol all -SSLv3
SSLProtocol -all +TLSv1.2 -TLSv1.3

SSLCipherSuite     ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLHonorCipherOrder on
SSLSessionTickets off
# Activer HTTP Sécurité stricte des transports (TVH)
SSLOptions +StrictRequire

SSLUseStapling On
##SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

##request body exceeds maximum size (131072) for SSL buffer default SSLRenegBufferSize 131072
##SSLRenegBufferSize 100000000

## Ajout
# Compression SSL désactiver
SSLCompression off
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

 

I'm doing his tests to correct the "protocol or cipher suite mismatch" errors. Which slows down the loading of the page.
I am very slow on HTTPS sites for more than 24s to display the home page.
In HTTP mode madeleine.michelis-amiens.lyc.ac-amiens.fr:80 the site is displayed quickly in 1.1s1
I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.

 

During a previous report I already pointed out the problem of slowness and timed out.
I had problems link to the report HERE
Previously I had issues with Vhots and certificates once this resolved some users reported the slow HTTPS only issue to me.

 

I agree with @Th0m as some times when we fixed things we may end up breaking more or add unnecessary things which if the later is true, it may explain why for the delay.

However, I am sorry that I cannot help you much to troubleshoot your apache2 web server since I have not been managing one after I converted mine to nginx back in 2016.

 

I made a small modification in the vhost in question by doing an Include / Etc / letsencrypt / options-ssl-apache.conf options-ssl-apache.conf: Then sharp in the Vhost the following lines:

Code:

<IfModule mod_ssl.c>
                SSLEngine on
                ##SSLProtocol All -SSLv2 -SSLv3 -TLSv1.3
                ##SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
                ##SSLHonorCipherOrder     on
                # <IfModule mod_headers.c>
                # Header always add Strict-Transport-Security "max-age=15768000"
                # </IfModule>
                Include /etc/letsencrypt/options-ssl-apache.conf
                SSLCertificateFile /var/www/clients/client5/web85/ssl/madeleine.michelis-amiens.lyc.ac-amiens.fr-le.crt
                SSLCertificateKeyFile /var/www/clients/client5/web85/ssl/madeleine.michelis-amiens.lyc.ac-amiens.fr-le.key
                                SSLUseStapling on
                SSLStaplingResponderTimeout 5
                SSLStaplingReturnResponderErrors off
                                </IfModule>

On the site of developers.google to test the performance it returns: Lighthouse returned error: failed_document_request (net :: err_times_out).

 

I modified the vhost in question to only enable the secure protocol (TLS v1.2) but this is not possible, I have the impression that there is another configuration which predominates.
nano 100-madeleine.michelis-amiens.lyc.ac-amiens.fr.vhost

Code:

                <IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3

openssl s_client -connect madeleine.michelis-amiens.lyc.ac-amiens.fr:443

Code:

subject=CN = madeleine.michelis-amiens.lyc.ac-amiens.fr

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3581 bytes and written 424 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed

I wanted to disable the security protocol (TLS v1.3) to check if my error problem: "protocol or cipher suite mismatch" errors. Did not come from that.
I checked the Haproxy conf no ssl-default-bind-options conf

 

You are messing with the config files in a way that is not intended. You are mixing ispconfig and manual configuration which is doomed to fail in the future: Ispconfig will overwrite the config files in the future!

I would start from the beginning:
1) Do an ispconfig upgrade and reconfigure your web service.
2) Go to tools -> resync services and resync your websites
3) Make sure Web still works. If your problem is not solved then, we can start from there.

In general: SSL configuration in ISPC is done on a 'per vhost' setting with the default settings coming from /usr/local/ispconfig/server/conf/vhost.conf.master if you want to change that file, copy it to /usr/local/ispconfig/server/conf-custom/vhost.conf.master and change there.
In my configuration, I removed the individual SSL settings from vhost.conf.master and then the global settings from /etc/apache2/mods-enabled/ssl.conf are used. There I set the SSL versions and ciphers.
In any case: The standard ISPC configuration should work. Try to restore it and then we look for the problem.

 

Thank you for your feedback and your suggestions.

1) Do an ispconfig upgrade and reconfigure your web service.
I had an error when upgrading from version 3.1.15p2 to 3.2.2
Error: "Unable to retrieve version file.root ispconfig" solition HERE.

1) Do an ispconfig upgrade and reconfigure your web service.
It is done.

2) Go to tools -> resync services and resync your websites
It is done.

3) Make sure Web still works. If your problem is not solved then, we can start from there
Make sure Web still works. If your problem is not solved then, we can start from there.
Web services are working but still slow in HTTPS and the error: "protocol or cipher suite mismatch"
Again thank you to all of you