Slow browsing in HTTPS

Discussion in 'Installation/Configuration' started by cremos, Jan 21, 2021.

  1. cremos

    cremos Member

    Hello !
    Code:
    Distributor ID: Debian
    Release:        10
    Codename:       buster
    Apache2 :     5.6.40-38
    ISPConfig    3.1.15p2
    Site madeleine.michelis-amiens.lyc.ac-amiens.fr:80
    I am very slow on HTTPS sites for more than 24s to display the home page.
    In HTTP mode madeleine.michelis-amiens.lyc.ac-amiens.fr:80 the site is displayed quickly in 1.1s1
    I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.
    So my browser spends 11 seconds looking for a configuration that works with my server.
    I compared the configuration on the Ispconfig server and the site on https://ssl-config.mozilla.org/
    I don't understand why in the configuration of a vhost on Ispconfig we have a hash debant # SSLCipherSuite with SSLHonorCipherOrder at on
    Same speed insight page cannot test the page: https://developers.google.com/speed/pagespeed/insights/?url=https://madeleine.micheliamiens.lyc.ac-amiens.fr% 2 F
    Thank you in advance for your answers.
     
  2. ahrasis

    ahrasis Well-Known Member

    Just visited the domain with https and it has no LE SSL certs but just self-signed certs?
     
  3. cremos

    cremos Member

    Last edited: Jan 21, 2021
  4. ahrasis

    ahrasis Well-Known Member

    Now it seems fixed.
     
  5. cremos

    cremos Member

    Hello !
    I am very slow on HTTPS sites for more than 24s to display the home page.
    always with errors when verifying the certificate on ssllabs:
    I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.
     
    Last edited: Jan 22, 2021
  6. cremos

    cremos Member

  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Where did you place your config and can you share that full file?
     
  8. cremos

    cremos Member

    I think it comes from TLS1.3 support that I need to disable.
    which configuration file do you want?
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You say you changed the configuration. I'm asking which file(s) you changed and if you could share those.
     
  10. cremos

    cremos Member

    I did a test in the vhost in question by doing an Include /etc/letsencrypt/options-ssl-apache.conf
    options-ssl-apache.conf:
    Code:
    # manually, Certbot will be unable to automatically provide future security
    # updates. Instead, Certbot will print and log an error message with a path to
    # the up-to-date file that you will need to refer to when manually updating
    # this file.
    
    SSLEngine on
    # Intermediate configuration, tweak to your needs
    # Désactiver les anciens protocoles non sécurisés
    # -all supprime les autres protocoles SSL (SSL 1,2,3 TLS1) +TLSv1.2 ajoute TLS 1.2
    #SSLProtocol all -SSLv3
    SSLProtocol -all +TLSv1.2 -TLSv1.3
    
    SSLCipherSuite     ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    
    SSLHonorCipherOrder on
    SSLSessionTickets off
    # Activer HTTP Sécurité stricte des transports (TVH)
    SSLOptions +StrictRequire
    
    SSLUseStapling On
    ##SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    
    ##request body exceeds maximum size (131072) for SSL buffer default SSLRenegBufferSize 131072
    ##SSLRenegBufferSize 100000000
    
    ## Ajout
    # Compression SSL désactiver
    SSLCompression off
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
    
    # Add vhost name to log entries:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This config seems messy and not in the right location. Also, never manually mess around with vhosts and other files in /etc/apache2/sites-available and sites-enabled. These changes will be overwritten.

    ISPConfig sets a good set of ciphers and protocols, why do you want to change that?
     
  12. cremos

    cremos Member

    I'm doing his tests to correct the "protocol or cipher suite mismatch" errors. Which slows down the loading of the page.
    I am very slow on HTTPS sites for more than 24s to display the home page.
    In HTTP mode madeleine.michelis-amiens.lyc.ac-amiens.fr:80 the site is displayed quickly in 1.1s1
    I have a problem with the TLS configuration that does not contain the correct cyphers suites. tested on ssllabs: It is full of "protocol or cipher suite mismatch" errors.
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Before changing any config, did you have this problem? Can you retrace your steps?
     
  14. cremos

    cremos Member

    During a previous report I already pointed out the problem of slowness and timed out.
    I had problems link to the report HERE
    Previously I had issues with Vhots and certificates once this resolved some users reported the slow HTTPS only issue to me.
     
  15. ahrasis

    ahrasis Well-Known Member

    I agree with @Th0m as some times when we fixed things we may end up breaking more or add unnecessary things which if the later is true, it may explain why for the delay.

    However, I am sorry that I cannot help you much to troubleshoot your apache2 web server since I have not been managing one after I converted mine to nginx back in 2016.
     
  16. cremos

    cremos Member

    I made a small modification in the vhost in question by doing an Include / Etc / letsencrypt / options-ssl-apache.conf options-ssl-apache.conf: Then sharp in the Vhost the following lines:
    Code:
    <IfModule mod_ssl.c>
                    SSLEngine on
                    ##SSLProtocol All -SSLv2 -SSLv3 -TLSv1.3
                    ##SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
                    ##SSLHonorCipherOrder     on
                    # <IfModule mod_headers.c>
                    # Header always add Strict-Transport-Security "max-age=15768000"
                    # </IfModule>
                    Include /etc/letsencrypt/options-ssl-apache.conf
                    SSLCertificateFile /var/www/clients/client5/web85/ssl/madeleine.michelis-amiens.lyc.ac-amiens.fr-le.crt
                    SSLCertificateKeyFile /var/www/clients/client5/web85/ssl/madeleine.michelis-amiens.lyc.ac-amiens.fr-le.key
                                    SSLUseStapling on
                    SSLStaplingResponderTimeout 5
                    SSLStaplingReturnResponderErrors off
                                    </IfModule>
    
    On the site of developers.google to test the performance it returns: Lighthouse returned error: failed_document_request (net :: err_times_out).
     
    Last edited: Jan 23, 2021
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Again:
    - Don't edit the vhosts manually, as this can break things and changes will be overwritten.
    - Don't use Include /etc/letsencrypt/options-ssl-apache.conf for custom SSL functions.
    - There is no need to disable TLSv1.3
    - Don't use LE manually from the CLI but let ISPConfig create the certs.

    Have you tested if there are any issues when you leave out your HAProxy in front of it?

    Please share all changes you made to the Apache settings, vhost template, etc.
     
  18. cremos

    cremos Member

    I modified the vhost in question to only enable the secure protocol (TLS v1.2) but this is not possible, I have the impression that there is another configuration which predominates.
    nano 100-madeleine.michelis-amiens.lyc.ac-amiens.fr.vhost
    Code:
                    <IfModule mod_ssl.c>
                    SSLEngine on
                    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
    
    SSL Server Test_ madeleine.michelis-amiens.lyc.ac-amiens.fr.png

    openssl s_client -connect madeleine.michelis-amiens.lyc.ac-amiens.fr:443
    Code:
    subject=CN = madeleine.michelis-amiens.lyc.ac-amiens.fr
    
    issuer=C = US, O = Let's Encrypt, CN = R3
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 3581 bytes and written 424 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    closed
    
    I wanted to disable the security protocol (TLS v1.3) to check if my error problem: "protocol or cipher suite mismatch" errors. Did not come from that.
    I checked the Haproxy conf no ssl-default-bind-options conf
     
    Last edited: Jan 23, 2021
  19. Steini86

    Steini86 Active Member

    You are messing with the config files in a way that is not intended. You are mixing ispconfig and manual configuration which is doomed to fail in the future: Ispconfig will overwrite the config files in the future!

    I would start from the beginning:
    1) Do an ispconfig upgrade and reconfigure your web service.
    2) Go to tools -> resync services and resync your websites
    3) Make sure Web still works. If your problem is not solved then, we can start from there.

    In general: SSL configuration in ISPC is done on a 'per vhost' setting with the default settings coming from /usr/local/ispconfig/server/conf/vhost.conf.master if you want to change that file, copy it to /usr/local/ispconfig/server/conf-custom/vhost.conf.master and change there.
    In my configuration, I removed the individual SSL settings from vhost.conf.master and then the global settings from /etc/apache2/mods-enabled/ssl.conf are used. There I set the SSL versions and ciphers.
    In any case: The standard ISPC configuration should work. Try to restore it and then we look for the problem.
     
  20. cremos

    cremos Member

    Thank you for your feedback and your suggestions.

    1) Do an ispconfig upgrade and reconfigure your web service.
    I had an error when upgrading from version 3.1.15p2 to 3.2.2
    Error: "Unable to retrieve version file.root ispconfig" solition HERE.

    1) Do an ispconfig upgrade and reconfigure your web service.
    It is done.

    2) Go to tools -> resync services and resync your websites
    It is done.

    3) Make sure Web still works. If your problem is not solved then, we can start from there
    Make sure Web still works. If your problem is not solved then, we can start from there.
    Web services are working but still slow in HTTPS and the error: "protocol or cipher suite mismatch"
    Again thank you to all of you
     

Share This Page