Your servers do not offer SSL session resumption. This means that every response contains a server certificate (3807 bytes) and your server has to perform a 2048-bit RSA decryption. This occurs for every piece of data fetched over SSL, even the tiny button pictures that are smaller than the certificate itself.
You should really enable SSL session resumption. It will save a lot of money in server cost and bandwidth, and your users will be happier too.
[Edit: WordPress staff replied that this was a mistake in their configuration and now this is fixed.]
5 thoughts on “Note to WordPress on SSL”
Thanks for letting us know. This was actually an unintentional side effect of some software upgrades we completed a while back. I have fixed it so that a valid Session ID should now be issued and session resumption should work as expected. Are things faster for you now?
Out of curiosity, which software upgrade was it?
Barry, yes, that worked. I see sessions being resumed now (server hello/change cipher spec/etc.) However, you definitely have a lot of duplicate acks, reordering, zero-window size advertisements and other strangeness going on there. So while it’s a bit faster now, there may be other issues.
Was this on an nginx-based frontend load balancer?
I know wordpress.com switched over to it in it’s stack. Wondering if it was a configuration change involved there or not.
Good catch! Is it all fixed on 2.8.4?
Comments are closed.